FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 191070
Description
When troubleshooting a VPN IPSec connection problem, there is common information that will also be needed by a Technical assistance center.

Solution

To gather information for troubleshooting IKE issues, use the following CLI Command. 

diag debug application ike <level> [ <ip-address> ]


  • <ip-address> is the IP address of the peer gateway about which debug information should be displayed.
  • Once the <ip-address> is specified then only output from a peer with that IP address will be specified.
  • diag debug application ike will display the debug level and the IP address if specified (no filter if nothing specified)
  • To remove the IP filter, re-specify the debug level without a filter.
  • The <level> can be any value from 0-15 and it is a bitmask :
1 will enable all output
2 will produce debug output about the connection but will not display DPD information.
4 If you want DPD then you should specify 4 for just DPD or
7 if you want DPD and the normal debug output


Example output:

diag debug appli ike -1 message in MR6 with the group2  vpl file

remoteGroup1: Responder: sent 192.168.11.106 main mode message #2 (OK)

0: comes 192.168.11.106:60890->192.168.11.105:4500,ifindex=3....

0: exchange=Identity Protection id=8aa1bd9e4f1990dd/68d6b6f72064e896 len=92

0:remoteGroup1:5: responder: main mode get 3rd message...

0:remoteGroup1:5: unable to parse msg

remoteGroup1: Responder: parsed 192.168.11.106 main mode message #3 (ERROR)

0:remoteGroup1:5: sent IKE msg (P1_RETRANSMIT): 192.168.11.105:500->192.168.11.106:60890, len=284

0:remoteGroup1:5: sent IKE msg (P1_RETRANSMIT): 192.168.11.105:500->192.168.11.106:60890, len=284

0: comes 192.168.11.106:60890->192.168.11.105:4500,ifindex=3....

0: exchange=Identity Protection id=8aa1bd9e4f1990dd/68d6b6f72064e896 len=92

0: found remoteGroup1 192.168.11.105 3 -> 192.168.11.106:60890

0:remoteGroup1:5: responder: main mode get 3rd message...

0:remoteGroup1:5: unable to parse msg

remoteGroup1: Responder: parsed 192.168.11.106 main mode message #3 (ERROR)