Introduction
This document describes how to find prefixes and routes advertised to Frouter by SLVPN for Secure Connect Private Access tunnels.
Overview
Secure Connect Secure Layer Virtual Private Network (SLVPN) Private Access tunnels advertise the prefixes you enter in the Client Reachable Prefixes section of the dashboard to Frouter. Frouter uses these prefixes to route traffic to private resources within these ranges through the Private Access tunnel. You can verify that the correct prefixes are being sent from SLVPN to Frouter by checking logs in DataDog. Use this procedure to ensure proper prefix advertisement when a tunnel is connected.
Find Prefixes Advertised to Frouter by SLVPN
You can use DataDog to verify that a tunnel is configured as a Private Access tunnel or a Secure Internet Access tunnel by checking the next hop assignment. You can also validate which prefix ranges SLVPN advertises to Frouter using the Frouter API logs. You need the organization ID (OrgID) and the Just-In-Time ID (JITID) for the tunnel you want to check.
Access DataDog and Locate Tunnel Information
1. Log in to DataDog using this command (replace with your own organization ID):
sl monitor datadog login --org-id your-org-id
2. Use the OrgID and JITID to search for up_monitor service logs, which provide details about all tunnels for an organization or a specific tunnel.
- To check a specific tunnel, first obtain the JITID of the tunnel.
- Use the DataDog search query format:
(@client_id:<tunnel-id>)
3. Find up_monitor service logs using:
@org_id:<Customer OrgID> AND @jitid:<JITID>
- You can also search using only the OrgID to view all tunnels for an organization.
4. Review the log lines to determine the tunnel type and prefix information.
- Select a specific log line to view detailed information.
Identify Tunnel Type and Prefixes
Secure Internet Access (SIA) tunnels have a classic Cloud Delivered Firewall (CDFW) node as the next hop, indicated by:
next hop selected for cdfw classic tunnel
Private Access (PA) tunnels have Frouter assigned as the next hop, and the up_monitor service logs the creation of the Frouter connector via the Frouter API:
connector creation success in frouter api
- The log line includes parameters passed to the Frouter API and the API response.
- Theclient_reachable_prefixessection in the API response lists the prefixes shared with Frouter.
- The response section shows the HTTP status code response from the Frouter API. This information can be used to check against the Client Reachable Prefixes in the your dashboard to ensure that SLVPN is passing the correct Client Reachable Prefixes to Frouter for Private Access.