Need advanced VPN troubleshooting methods/ideas

DirkDuesentrieb · ‎05-15-2020

Hello forum,

we have a box with many VPN tunnels, but one is giving me a headache.

I like to do a long term debugging, because FortiAnalizer has not the necessary details like dpd messages. My best method currently is to run a "screen" session with output logging and do "diagnose debug application ike -1" there.

But this ends after 30 minutes and has no timestamp.

Has anyone a good idea? Sending those debugs to a syslog server would be great.

Cheers,

Dirk

TheJaeene · ‎05-15-2020

Hi Dirk,

My method is:

putty with logging enabled

Prolong Admin Session Timeout via GUI

Prolong Debug time:

diagnose debug duration 0

Enable debug timestamp:

diagnose debug console timestamp enable

Filter Debug for the specific Peer´s Source (yes, filter is set as dst-addr :(

diagnose vpn ike log-filter dst-addr4 1.2.3.4

diagnose vpn ike filter dst-addr4 1.2.3.4

Regards,

The jaene

DirkDuesentrieb · ‎05-15-2020

Hello The jaene,

"diagnose debug duration 0" is one thing I didn't know about, thank you for that.

I got another hint that's solving the timestamp issue. "ts" from the moreutils package adds a configurable timestamp to an output line. Together with "tee" it works directly with ssh.

ssh my-fortigate | tee >(ts > debug.log)

Cheers,

Dirk