[rank_math_breadcrumb]

Fortigate VPN troubleshooting

Posted by

IPSEC VPN Debug

CommandDescription
diagnose vpn ike log-filter <parameter>Filter VPN debug messages using various parameters:list Display the current filter.clear Delete the current filter.name Phase1 name to filter by.src-addr4/src-addr6 IPv4/IPv6 source address range to filter by.dst-addr4/dst-addr6 IPv4/IPv6 destination address range to filter by.src-port Source port rangedst-port Destination port rangevd Index of virtual domain. -1 matches all.interface Interface that IKE connection is negotiated over.negate Negate the specified filter parameter.
diagnose debug application ike -1Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2. “-1” sets the verbosity level to maximum, any other number will show less output.
diagnose vpn ike gateway flush name <vpn_name>Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name.
diagnose vpn tunnel list [name <Phase1 name>]Show operational parameters for all or just specific tunnels: Type (dynamic dial up or static), packets/bytes passed, NAT traversal state, Quick Mode selectors/Proxy Ids, mtu, algorithms used, whether NPU-offloaded or not, lifetime, DPD state.
diagnose vpn ike gateway listShow each tunnel details, including user for XAuth dial-up connection.
get vpn ipsec tunnel detailsDetailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not.
get vpn ipsec stats tunnelShort general statistics about tunnels: number, kind, number of selectors, state
get vpn ipsec tunnel summaryShort statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx.
get vpn ipsec stats cryptoCrypto stats per component (ASIC/software) of the Fortigate: encryption algorithm, hashing algorithm. Useful to see if unwanted situation of software encryption/decryption occurs.

SSL VPN debug

SSL VPN client to site/Remote Access debug

CommandDescription
get vpn ssl monitorList logged in SSL VPN users with allocated IP address, username, connection duration.
diagnose vpn ssl debug-filter criteriaLimit debug output according to the criteria below:src-addr4|src-addr6 source-ip-of-client Source IP of the connecting clientvd VDOM name Limit debug to a specific VDOM, specify VDOM by its string name, not numerical index.negate Negate the filter.clear Clear the filter.list List active filter.
diagnose debug app sslvpn -1Debug SSL VPN connection. Shows only SSL protocol negotiation and set up. That is – ciphers used, algorithms and such, does NOT show user names, groups, or any client related info.

[the-post-grid id=”9538″ title=””]

Leave a Reply

Your email address will not be published. Required fields are marked *

Visit Our Store and Buy All document (F5, Zscaler, ASA, Paloalto, Checkpoint,Forescout, Cisco ISE etc) only in  1600RS, click here on store - Store

X
error: Content is protected !!