When troubleshooting site-to-site IPSEC VPN tunnels in FortiGate firewalls, these commands enable debugging on the firewall console and provide detailed information to identify the problem.
- Login to CLI as admin
- Disable any debug that are currently running
diagnose debug disable
- Clear any debug filters that are previously applied
diagnose vpn ike log-filter clear
- Set filter to show debug logs of a specific VPN tunnel. This is especially helpful if you have several VPN tunnels and facing problem with only one peer.
diagnose vpn ike log-filter dst-addr4 10.10.10.1
- Enable debug mode on IKE handshaking process.
diagnose debug app ike 255
- Enable debug logging to console
diagnose debug enable
After you fix the problem, don’t forget to disable debug
diagnose debug disable
