Created on
12-05-2024
10:09 AM
Edited on
01-28-2025
09:41 PM
By
Anthony_E
Description | This article describes VPN log gathering for optimal troubleshooting experience during technical support engagement. |
Scope | FortiClient\EMS, FortiGate, SSL VPN, IPsec. |
Solution |
When engaging with technical support, it is critical to provide correct logs and configuration files as it significantly speeds up the troubleshooting processes and minimizes redundant interactions.
Follow the steps below to collect VPN logs from FortiClient and FortiGate when addressing VPN connection issues.
FortiClient:
Step 1: Enable debug log level: Turn on the debug log level for FortiClient via a System Settings endpoint profile.
On EMS, navigate to the System Settings profile assigned to the endpoint in question: Endpoint Profiles -> System Settings -> Select the profile -> Advanced -> Log Level -> Debug.
Confirm FortiClient received the profile update and switched the log level to debug from the Settings tab.
Step 2: Collect FortiClient Backup. Configuration files are crucial as technical support engineers may provide feedback on what might be adjusted in order to address the issue or improve user experience.
Collect the FortiClient configuration file from the Settings tab. If Backup is greyed out, make sure Do Not Allow User to Back up Configuration is disabled under the System Settings endpoint profile on EMS.
FortiGate.
Step 3: Retrieve Configuration File. Collect the FortiGate backup file for configuration review.
Step 4: Gather CLI Diagnostics. Run the following commands on the firewall before making a connection.
When SSL VPN is used.
diagnose debug reset
When IPsec is used:
diagnose debug reset
Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter src-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4' For more details, refer to this link IPsec Tunnel (debugging IKE).
In case of SAML or RADIUS/LDAP authentication, add one of the following commands to either of the above:
diagnose debug app fnbamd -1 <- RADIUS/LDAP authentication.
Step 5: Reproduce the issue: Reproduce the issue by attempting to connect to the VPN tunnel. Take note of the endpoint's local time when reproducing the issue.
Step 6: Gather the logs: Once the issue has been reproduced and captured, collect the CLI output on FortiGate.
Collect FortiClient diagnostics. For Windows: FortiClient console -> About -> Diagnostics Tool. For macOS and Linux: FortiClient console -> Settings -> Export Logs.
The VPN logs can also be found on the PC, on the following paths:
Attach collected files to the support ticket for review. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.