- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-30-2016 01:00 PM
I have a need to automate issuing test and clear commands to IPSEC vpn tunnels and gateways. This seems very straight forward using panxapi or curl. The concern I have is that there does not seem to be any checking that the tunnel exists. When you issue the command to test/clear from the CLI and you specify a bad name it errors out. When you do the same with panxapi or curl you get a success no matter what.
My concerns:
Example calls :
panxapi:
C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel GOOD_NAME.
</member>
C:\Users\me>panxapi -h <IP> -K "<key>" -xr -o
"<test><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></test>"
op: success
<member>Initiate 0 IPSec SA for tunnel BAD_NAME.
</member>
curl:
curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>GOOD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel GOOD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>
curl 'https://<IP>/api/?type=op&cmd=<clear><vpn><ipsec-sa><tunnel>BAD_NAME</tunnel></ipsec-sa></vpn></clear>&key=<KEY>
<response status="success"><result>
<member>Clear IPSec SA for tunnel BAD_NAME: 0 IKEv1 SA, 0 IKEv2 SA.
</member>
Lastly, where can I find the logs for all this stuff?
Thanks !
06-30-2016 06:58 PM
on 6.1 there is an error but not on 7.0 or 7.1:
6.1.12:
admin@PA-200> test vpn ipsec-sa tunnel foo
Server error : foo is invalid tunnel.Current target-vsys is none
test -> vpn -> ipsec-sa -> tunnel is invalid
7.0.8 and 7.1.3:
admin@PA-200-2> test vpn ipsec-sa tunnel foo
Initiate 0 IPSec SA for tunnel foo.
type=op request using API have same results. seems like it may be a bug, as I would expect an error and behavior to be unchanged in 7.x suggest to log a case.
07-01-2016 08:02 AM
Thanks for confirming! I'll open a case.
And thanks for panxapi!
07-05-2016 09:50 AM
Bug confirmed for this behavor.
Bug 99349 - VPN test\reset command no longer produces an error when an invalid tunnel is specified
I'll update the thread as I get more informaiton.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!