I'm in the process of debugging a failing site to site VPN from a FortiGate to a Cisco ASA. The Forti has in excess of 30 IPsec VPNs configured on it so issuing the standard cli command :
diagnose debug application ike -1
diagnose debug enable
Isn't particularly useful due to the volume of entries you'll get.
We want to filter it to one specific VPN so we do this instead:
diagnose vpn ike log filter name <phase1-name>
diagnose debug app ike -1
diagnose debug enable
Then you'll just get the entries relating to the VPN you want to work on.
This and a lot more useful stuff relating to troubleshooting VPN's can be found here:
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Comments
Post a Comment