Troubleshooting Tip: New CLI filtering commands to debug SSL VPN available in v5.4
Description
This article describes that new commands have been introduced in FortiOS v5.4 to filter SSL VPN debugging.
Scope
FortiGate.
Solution
diagnose vpn ssl debug-filter ?
clear Erase the current filter.
list Display the current filter.
src-addr4 IPv4 source address range.
src-addr6 IPv6 source address range.
vd Name of virtual domain.
negate Negate the specified filter parameter.
clear Erase the current filter.
list Display the current filter.
src-addr4 IPv4 source address range.
src-addr6 IPv6 source address range.
vd Name of virtual domain.
negate Negate the specified filter parameter.
Once the filter has been set, SSL VPN debugs can be enabled using the commands:
diag vpn ssl debug-filter src-addr4 <X.X.X.X> Client's IP
diag debug application sslvpn -1
diag debug enable
diag debug application sslvpn -1
diag debug enable
To disable debugs:
diag debug disable
diag debug reset
Note:
x.x.x.x should be the public IP of the connecting user. The filter will ensure that the debug information relevant only to traffic from the specified IP address is captured, helping to focus on specific client troubleshooting.