- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to generate debugs
This post is to seek help to generate some debug output.
The context is an attempt to setup a new IPsec tunnel on a new site to connect into an existing SD-WAN hub.
I believe that I have copied the config of any existing site to a new setup but upon adding the first tunnel it remains status = down.
I am wanting to generate some debugs but not seeing any output.
All I have done is the following command:
diagnose debug enable
Do I need to do anything else?
I have left the IKE filter at default i.e. No filtering.
I am not sure if there is somewhere I need to specifically turn on IKE debugging?
Appreciate any help
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"diag debug enable" is to just get any/all debug output you specifically set up into your CLI session. You have to run IKE debugging specifically following a KB like below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"diag debug enable" is to just get any/all debug output you specifically set up into your CLI session. You have to run IKE debugging specifically following a KB like below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Toshi_Esumi
From that doc I use the command
diag debug app ike -1
And I see I have some output.
Happiness.... :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the spoke side, you likely have only one IPsec so the IKE debug works fine without any filtering. But on the hub side, there must be mulitple IPSec so you definitely want to filter the debugging only for the one from this spoke. At that time you want to use the command:
"diag vpn ike log-filter <option> <parameter>"
as in the KB before enabling the output with "diag debug ena".
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood thanks
I have enabled a couple of debugs now on my test box
Is there a command to show what debugs are enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"diag debug info"
To stop "diag debug app ike -1" specifically is "diag debug app ike 0".
But we almost always use "diag debug reset" to stop all of them then start over.
Toshi
