IPSEC VPN Debug
Command | Description |
---|---|
diagnose vpn ike log-filter <parameter> | Filter VPN debug messages using various parameters:list Display the current filter.clear Delete the current filter.name Phase1 name to filter by.src-addr4 /src-addr6 IPv4/IPv6 source address range to filter by.dst-addr4 /dst-addr6 IPv4/IPv6 destination address range to filter by.src-port Source port rangedst-port Destination port rangevd Index of virtual domain. -1 matches all.interface Interface that IKE connection is negotiated over.negate Negate the specified filter parameter. |
diagnose debug application ike -1 | Enable IPSec VPN debug, shows phase 1 and phase 2 negotiations (for IKEv1) and everything for IKEv2. “-1” sets the verbosity level to maximum, any other number will show less output. |
diagnose vpn ike gateway flush name <vpn_name> | Flush (delete) all SAs of the given VPN peer only. Identify the peer by its Phase 1 name. |
diagnose vpn tunnel list [name <Phase1 name>] | Show operational parameters for all or just specific tunnels: Type (dynamic dial up or static), packets/bytes passed, NAT traversal state, Quick Mode selectors/Proxy Ids, mtu, algorithms used, whether NPU-offloaded or not, lifetime, DPD state. |
diagnose vpn ike gateway list | Show each tunnel details, including user for XAuth dial-up connection. |
get vpn ipsec tunnel details | Detailed info about the tunnels: Rx/Tx packets/bytes, IP addresses of the peers, algorithms used, detailed selectors info, lifetime, whether NAT Traversal is enabled or not. |
get vpn ipsec stats tunnel | Short general statistics about tunnels: number, kind, number of selectors, state |
get vpn ipsec tunnel summary | Short statistics per each tunnel: number of selectors up/down, number of packets Rx/Tx. |
get vpn ipsec stats crypto | Crypto stats per component (ASIC/software) of the Fortigate: encryption algorithm, hashing algorithm. Useful to see if unwanted situation of software encryption/decryption occurs. |
SSL VPN debug
SSL VPN client to site/Remote Access debug
Command | Description |
---|---|
get vpn ssl monitor | List logged in SSL VPN users with allocated IP address, username, connection duration. |
diagnose vpn ssl debug-filter criteria | Limit debug output according to the criteria below:src-addr4|src-addr6 source-ip-of-client Source IP of the connecting clientvd VDOM name Limit debug to a specific VDOM, specify VDOM by its string name, not numerical index.negate Negate the filter.clear Clear the filter.list List active filter. |
diagnose debug app sslvpn -1 | Debug SSL VPN connection. Shows only SSL protocol negotiation and set up. That is – ciphers used, algorithms and such, does NOT show user names, groups, or any client related info. |
Leave a Reply