Commands to enable debug logs for troubleshooting IPSec VPN Tunnel in FortiGate

Fortigate CLI

When troubleshooting site-to-site IPSEC VPN tunnels in FortiGate firewalls, these commands enable debugging on the firewall console and provide detailed information to identify the problem.

  • Login to CLI as admin
  • Disable any debug that are currently running

diagnose debug disable

  • Clear any debug filters that are previously applied

diagnose vpn ike log-filter clear

  • Set filter to show debug logs of a specific VPN tunnel. This is especially helpful if you have several VPN tunnels and facing problem with only one peer.

diagnose vpn ike log-filter dst-addr4

  • Enable debug mode on IKE handshaking process.

diagnose debug app ike 255

  • Enable debug logging to console

diagnose debug enable

After you fix the problem, don’t forget to disable debug

diagnose debug disable