You can then use the scrollback functionality of the console to view past debug messages, and try to troubleshoot the VPN tunnel. You can suspend debug logging by disabling debug mode: diagnose debug disable You can find this at VPN > Monitor, and then click Bring Up on the according VPN tunnel.ĭuring debug logging, a lot of output will continue to appear in the console, making it difficult to troubleshoot. If the connection is not already started, go in the web interface and "Bring up" the VPN. So, if the other side has a WAN address of 1.2.3.4, you will set the filter like so: diagnose vpn ike log-filter dst-addr4 1.2.3.4įinally, enable debug mode on the IKE (handshaking) process, and re-enable global debugging to output the debug logging to the console: diagnose debug app ike 255 Usually, you will want to set it to filter on the remote WAN IP. To filter on a specific tunnel, we can set the logging output filter to only show us debug logging for a specific host. If you previously did VPN debugging, you also have to clear any filters applied to the logging output: diagnose vpn ike log-filter clear If any debugging is already in progress, it needs to be stopped first: diagnose debug disable
FORTINET VPN TUNNEL CLIENT SERIES
This is done by the following series of commands. IPSEC VPN debuggingĮnabling debugging for all IPSEC VPNs means we enable debug mode on "IKE". It usually can be found on the Dashboard (> Status).Īs it says, click on the console to activate it. On most (if not, all) FortiGate appliances, you can access the console through the web interface.
Although the web interface doesn't provide much information for troubleshooting and debugging, the console does when debugging is enabled.
This can especially be a problem when setting up a site-to-site IPSEC VPN tunnel. The logging on a FortiGate firewall is very scarse, making it difficult to troubleshoot issues.
0 kommentar(er)
