Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎09-20-2024 04:19 AM Edited on ‎05-27-2025 09:44 PM By Community Manager

Article Id 342770

Technical Tip: How to enable IKE debugging with various debug levels using a bitmask to isolate specific types of information for troubleshooting IKE negotiation failures

Description This article describes how to enable and capture debug information for troubleshooting IKE negotiation failures on a FortiGate device. IKE debugging can be useful in identifying configuration errors, negotiation failures, and issues related to NAT-T, DPD, and key exchanges during IPsec VPN setup.
Scope FortiGate.
Solution

Debug Levels and Information:

 

FortiGate offers various debug levels using a bitmask to isolate specific types of information. The following are the available debug information levels:

 

diagnose debug application ike «debug-level»

 

ike_debug_level.png

 

IKE debug with appropriate filters:

 

diagnose debug disable

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log filter clear
diagnose vpn ike log filter dst-addr4 <ip.of.remote.peer>       <- Remote peer IP filter.
diagnose debug application ike -1                               <- Enable all levels of IKEd debug.
diagnose debug application fnbamd -1                            <- Only for cert. auth and Xauth/EAP.
diagnose debug console no-user-log-msg enable                   <- Disable writing on the console.
diagnose debug duration <munites>
diagnose debug enable

 

To stop debugging:

 

diagnose debug disable

diagnose debug reset

 

Starting from v7.4.1, the command to filter logs related to specific Remote Peer IP has been changed to:

 

diagnose vpn ike log filter rem-addr4 <ip.of.remote.peer>     

These steps will enable IKE debugging on the FortiGate to capture detailed information related to IKE negotiation failures, certificate authentication, NAT-T issues, and other related factors. The debug output can then be analyzed to identify and resolve VPN negotiation problems.
2216
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.