Clavister Firewalls: Top 5 useful console commands
This document provides a short description of the most widely used Clavister (click here for more information) console commands from experience. Note: for more information about any of the commands listed below, please type in help [command]. The below commands apply to Clavister CorePlus v8.9.x
This command starts up the packet capture mechanism on the clavister. It provides filtering using wireshark-like expressions (eg source and destination IP) as well as filtering by interface and so on. This command is especially useful when troubleshooting connctivity issues, such as suspected ACL or site to site VPN issues.
This command only applies in high-availability environments. Simply typing in “ha” will return the HA status of the current unit (active/passive) as well as whether the peer unit is reachable or not. It will also display the time since this unit has been active (if any).
Another two forms of the command:
allow you to handover “master” (active) control to the peer, or vice versa.
- ipsectunnels and ipsecstats
These two commands allow you to check whether a particular vpn tunnel is up or not. The former command is a generic one, giving a quick overview of the current VPN tunnels. The latter command shows slightly more detail, and also allows filtering by remote peer IP.
This command will kill any IPSec connections to a particular remote peer IP. This comes handy when a tunnel de-syncronisation occures, that is, if the tunnel does not use keepalives (example due to incompatibilities with different vendors), one side of the tunnel is up and the other side is down. In order to start over, the “killsa” command can be used
This command is immensely useful when troubleshooting IPSec vpn negotiation issues. It is very similar to the “debug ike” / “debug ipsec” in cisco units, but presents the information in a more user-friendly format.
It will help highlight mistakes int eh VPN configuration such as mismatches, PSK problems, and so on.