Greetings
When I enable the various debugs as shown and I run diagnose debug info command I am expecting to see all currently enabled debugs in the location shown but I do not. Is this how it should be?
Where or how can I obtain feedback to confirm what debugs are turned on at any given point?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As you're showing, you filter set is filtering only protocol 6 (TCP) in. The protocol filter takes only one. So your last filter 6/TCP is there. IPsec never uses TCP.
Just clear the filter with "diag debug flow filter clear" then specify only address to filter. If this is a spoke only with one IPsec, you don't have to specify even the address. I don't see any point specifying protocol to just debug IKE.
Toshi
Hello slouw,
It seems that you have not enabled the debug at all, it's status is disabled.
debug output: disable
To enable the debug you have to run the below command:
diag debug enable
You make an interesting point which I need to digest. Thank you.
Please would you consider the following sequence annotated in the screenshot.
STEP1 Log on and run diagnose debug info (Ref 1 in diagram)
Q1 Is it acurate to say that there are at present no debugs turned on for this unit? (Ref 2)
STEP2 run diagnose debug application ike -1 (Ref3)
Q2 Is (Ref4) telling us that turning on ike debug level 1 has the effect of starting the debug timer?
STEP3 run diagnose debug info again (Ref5)
The fact that ike debug Level 1 is turned on is shown now (Ref6).
Q3 Is it accurate that this is the place to look to check what debugs are turned on at any point in time?
(Ref7) shows us the status of the timer. Q4 is about the relationship between the state of any debug (on/enabled or off/disabled) and the state of the timer (Running or not). In the sequence above we set the ike debug to on/enabled state. This had the effect of starting the timer. Is this the case for any debug?
Q4 If any debug is enabled does this have the effect of starting the timer?
(Ref8) The timer was set to 30min and most of this time has elapsed.
(Ref9) This is the bottom fragment of diagnose debug info showing timer is nearly done.
STEP4 run diagnose debug info (Ref10)
(Ref11) ike debug has turned off. This suggests that answer to Q3 is yes. This is the place to check if any debugs are turned on.
Much appreciate any help!
In reply to:
Hello slouw,
It seems that you have not enabled the debug at all, it's status is disabled.
debug output: disable
To enable the debug you have to run the below command:
diag debug enable
How about this below.
Debug output is now showing as enabled.
Still no output.
Note in a different screen I have diagnose sniffer packet wan 'host ww.xx.yy.172' running.
ww.xx.yy.172 is the hub underlay i.e. the far end of the IPsec tunnel.
What am I doing wrong in trying to get flow debug output?
thanks.....
As you're showing, you filter set is filtering only protocol 6 (TCP) in. The protocol filter takes only one. So your last filter 6/TCP is there. IPsec never uses TCP.
Just clear the filter with "diag debug flow filter clear" then specify only address to filter. If this is a spoke only with one IPsec, you don't have to specify even the address. I don't see any point specifying protocol to just debug IKE.
Toshi
OMG! It worked!
Thanks!!!!!
Sorry. For flow debug, you have to specify the address.
If IKE debug, you don't have to specify the address if there is only one IPSec.
I got confused myself.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.