Troubleshoot Fortigate IPsec VPN
I have built quite a few IPsec client VPNs, and most go smoothly. During a recent deployment, building an IPsec client vpn and using SAML for authentication, I ran into some rode blocks. These are the diagnostic tools I used to help weed out the problems. Ill include all the diagnostic commands first, then explain what every one does.
diag debug reset
fnsysctl killall iked
diagnose vpn ike log-filter src-addr4 [ip]
diagnose debug application ike -1
diagnose debug application samld -1
diag debug app fnbamd -1
diag debug application eap_proxy -1
diag debug enable
Now, lets go through these line by line
diag debug reset
: resets all debug configs, in case any were currently running.fnsysctl killall iked
: This kills the IKE process on the system. This is useful to clear out any hairballs that may be lurking. Similar to pkill.diagnose vpn ike log-filter src-addr4 [ip]
: Specifies the source address we wish to see logs for in our debug console.diagnose debug application ike -1
: Sets IKE (the protocol behind IPsec) to debug mode.diagnose debug application samld -1
: Sets SAML to debug mode. Useful if using SAML authentication, does not make a difference otherwise.diag debug app fnbamd -1
: Sets fndbam to debug mode. Fnbdam is for debugging RADIUS, LDAP, and TACACS authentication.diag debug application eap_proxy -1
: Sets EAP Proxy to debug mode. This is the authentication proxy, where the fortigate is not preforming the authentication.diag debug enable
: Enables debug mode.diag debug disable
: Once complete disables the debug messages from going to console. All messages will auto stop after 30 minutes.