Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Diagnose VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Diagnose VPN
Hello,
I have a device running 5.2.7 with over 1,000 dialup VPNs at every moment.
I need to debug a VPN that is not being properly stabilished.
Anyhow if I do:
diagnose debug enable
diagnose debug application ike -1
I see lots of information.
Especially all the (R-U-THERE) messages (lots and lots).
If I use diagnose vpn ike log-filter src-addr4 x.x.x.x I can't get all the relevant info.
Any idea on how can I make a more effective debug through cli?
Thanks!
Labels:
- Labels:
-
5.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why not execute packet capture with the fiter set for udp 500 or 4500 and the src ( client 4.x.x.x ) than you can analyze the traffic
or
get the client to capture from his end ( this would be easier ) ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with packet capture is that it requieres additional tools (wireshark, etc.) and it not as easy to see the error as with the diagnose debug.
Capture from the client side not always give the full information.
For example, on a dial up VPN. If the user/password is not in the central FW, that can only be detected from the central FW.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
it depends what you would like to troubleshoot. If you like to troubleshoot the Phase1/2 of a VPN your command is the way to go which means:
diag debug reset
diag debug disable
diag debug application ike -1
The -1 means all message of debug in Phase1/2 but there are more debug levels for specific information:
2 Shows config changes 4 Shows connections which will be established 8 Only Phase-1 as Phase-2 comunications messages 16 Shows only NAT-T (Nat-Traversal) 32 Shows only DPD 64 Shows only Encryption/Decryption Key's 128 Shows only Encryption Traffic payload
You can set as you already mentioned a filter for ike which means:
# diagnose vpn ike log-filter ? clear Erase the current filter. dst-addr4 IPv4 destination address range to filter by. dst-addr6 IPv6 destination address range to filter by. dst-port Destination port range to filter by. interface Interface that IKE connection is negotiated over. list Display the current filter. name Phase1 name to filter by. negate Negate the specified filter parameter. src-addr4 IPv4 source address range to filter by. src-addr6 IPv6 source address range to filter by. src-port Source port range to filter by. vd Index of virtual domain. -1 matches all.
Keep in mind that application ike only shows Phase1/2 traffic nothing else. If you like to too look to the particular traffic from a user you can use the sniffer command which you will run on the ipsec interface and also there you can use different filters like the source IP of the user (IP Pool address). The sniffer command is used in following way:
# diagnose sniffer packet <interface_name> <‘filter’> <verbose> <count> a <interface_name> Name of the interface to run the sniffer like wan1 etc. you can use also any for all interfaces! <‘filter’> Definition for filter. The filter must be defined within "quotes" but you can use ‘ ' ". If you define none no filter
is applied any everthing is shwon
<count> Definition of counter which means how many packets will be shown Syntax: '[ [src|dst] host<host_name_or_IP1> ] [ [src|dst] host<host_name_or_IP2> ] [ [arp|ip|gre|esp|udp|tcp] [port_no] ] [ [arp|ip|gre|esp|udp|tcp] [port_no] ]' Example: Not Port 443 = '!port 443' Port 443 = 'port 443' Host = 'host 192.168.1.1' Host und Host = 'host 192.168.1.1 and host 192.168.1.2' Host und Port 443 = 'host 192.168.1.1 and port 443' Host und nicht Port 443 = 'host 192.168.1.1 and !port 443' Host oder Port 443 = 'host 192.168.1.1 or port 443' Nur udp Traffic = 'udp' Nur SYN Flag = 'tcp[13]&2==2' Nur ARP Packete = 'arp' <verbose> Definiert den Level der "Verbosity": 1 - Shows the header of a packet 2 - Shows the header and data of IP packets 3 - Shows the header and data of Ethernet Packets (Frames ACSII und HEX) 4 - Shows the header and Interface Name of Packets 5 - Shows the header and data of IP Packets with Interface Name 6 - Shows the headerund and of Ethernet Packets with Interface Name
This information is from following KB:
http://kb.fortinet.com/kb/documentLink.do?externalId=11186
Actually the sniffer command is working like a tcpdump on linux/unix systems.
I only use capturing if you need application based information this means if a application is not working. If the access itself is a problem like destination is not answering or interrupt like you will find out who is sending a reset use sniffer command. You can also deeply troubleshoot based on TCP headers like follwoing example which shows only RST packets:
# diagnose sniffer packet any "tcp[13] & 4 != 0"
The "tcp[13] & 4 != 0" is indicating RST. How to get there see attached file (needs deeply tcp knowledge)! Below some examples:
'tcp[13]==1' Only packets with FIN bit value with 1 'tcp[13]&4==4' All packets with RST bit value with 1 'tcp[13]&8==8' All packets with PSH bit value with 1 'tcp[13]==16' Only packets with ACK bit value with 1 'tcp[13]&32==32' All packets with URG bit value with 1 'tcp[13]&64==64' All packets with ECE bit value with 1 'tcp[13]&128==128' All packets with CWR bit value with 1 'tcp[13]==24' Only packets with PSH und ACK bit value with 1
Hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem with packet capture is that it requieres additional tools (wireshark, etc.) and it not as easy to see the error as with the diagnose debug.
Hogwash is what I would say. Every thing Andrea point out above would be present in the pcap to include information pertaining phase1 IKE cookies, IKE-KAs, IKE-NAT-T, etc...... phase2 ipsec ESP ( spi#, seq#,etc...)
How do you think we actually debugged traffic event before diagnostic commands even existed ? ;) Free tools like wireshark/tshark are actually more useful than what persons give it credit for most just flat out don't know or too lazy to use them imho.
Capture from the client side not always give the full information.
And that's the main reason why you would diagnose the client connect on the client side. You stated early you have hundreds if not thousands of connections but only one connect that your having problems with. You probably need to inspect that one connection and see what happening at the clientside as it pertains to ike and/or ESP
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I guess it is 5.41 OS bug. ike log filter src-addr4 doesn't give useful output any more, it shows "ike shrank heap by ":
FGT90D3Z13002576 # diag debug reset FGT90D3Z13002576 # diag debug app ike -1 FGT90D3Z13002576 # diag vpn ike log filter clear FGT90D3Z13002576 # diag vpn ike log filter src-addr4 10.10.20.13 FGT90D3Z13002576 # diag vpn ike log filter list vd: any name: any interface: any IPv4 source: 10.10.20.13 IPv4 dest: any IPv6 source: any IPv6 dest: any source port: any dest port: any
FGT90D3Z13002576 # diag debug en FGT90D3Z13002576 # ike shrank heap by 131072 bytes ike shrank heap by 122880 bytes FGT90D3Z13002576 #
whereas filter by "name" works fine (but it can't filter all messages from other ipsec tunnels). Any idea how to disable "shrink" functionality?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i don't believe that is something you disable, it seems to indicate something about memory management of the ike proces.
i have a similar experience with diag vpn ike log filter, support said diag vpn ike log filter dst-addr4 should show you everything of one tunnel based on the remote end point
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, keep doing what you are doing and just stick to destination ip (remote gw ip)....about the only way to cleanly filter IPSEC debugs
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL vpn users --->Fortigate <-----------------------------------------------> Checkpoint ------> servers
IPSEC VPN route based
What we are finding the SSL vpn client users are facing issues in completing the three way handshake syn is going syn ack is getting received while the client machine is sending the RST immediately
Error observed in the debug on fortigate is
func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 192.168.94.1:50780->172.29.30.16:3389) from local. flag
# diagnose sniffer packet any "host 172.29.30.16 and tcp port 3389" 4 0 a interfaces=[any] filters=[host 172.29.30.16 and tcp port 3389] 2017-02-02 05:54:38.755580 ssl.root in 192.168.94.1.51266 -> 172.29.30.16.3389: syn 3838243965 2017-02-02 05:54:38.755619 Avenue_Ecom_Mum out 192.168.94.1.51266 -> 172.29.30.16.3389: syn 3838243965 2017-02-02 05:54:38.802968 Avenue_Ecom_Mum in 172.29.30.16.3389 -> 192.168.94.1.51266: syn 3317155358 ack 3838243966 2017-02-02 05:54:38.803017 Avenue_Ecom_Mum out 192.168.94.1.51266 -> 172.29.30.16.3389: rst 3838243966 2
FCNSA
FCNSA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
might be wiser to start a new thread, jumping on another thread confuses things.
also this seems to be more a network issue then a VPN one. in the new thread you might want to combine the IPs and interface names to the first drawing.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Trouble with LDAP authentication 329 Views
- diagnose sys ha session-sync-dev output unexpected 185 Views
- FortiAP-231G intermittently goes offline. 144 Views
- How to obtain logs per second... 268 Views
- can´t ping ippool from cli @120G... 198 Views
Labels
-
FortiGate
8,407 -
FortiClient
1,700 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.