Technical Tip: How to enable IKE debugging with various debug levels using a bitmask to isolate specific types of information for troubleshooting IKE negotiation failures

akileshc · ‎09-20-2024

Description

This article describes how to enable and capture debug information for troubleshooting IKE negotiation failures on a FortiGate device. IKE debugging can be useful in identifying configuration errors, negotiation failures, and issues related to NAT-T, DPD, and key exchanges during IPsec VPN setup.

Scope

FortiGate.

Solution

Debug Levels and Information:

FortiGate offers various debug levels using a bitmask to isolate specific types of information. The following are the available debug information levels:

diag debug application ike «debug-level»

IKE debug with appropriate filters:

diag debug reset
diag debug console timestamp enable
diag vpn ike log filter clear
diag vpn ike log filter dst-addr4 <ip.of.remote.peer>    <- Remote peer IP filter.
diag debug application ike -1    <- Enable all levels of IKEd debug.
diag debug application fnbamd -1       <- Only for cert. auth and Xauth/EAP.
diag debug console no-user-log-msg enable       <- Disable writing on the console.
diag debug duration <munites>
diag debug enable

Starting from FortiOS 7.4.1, the command to filter logs related to specific Remote Peer IP has been changed to

diag vpn ike log filter rem-addr4 <ip.of.remote.peer>

These steps will enable IKE debugging on the FortiGate device to capture detailed information related to IKE negotiation failures, certificate authentication, NAT-T issues, and other related factors. The debug output can then be analyzed to identify and resolve VPN negotiation problems.