Useful VPN Troubleshooting and Debug Commands
Useful VPN Troubleshooting and Debug Commands
Problem or Goal:Environment:
- VPN (Virtual Private Network)
- Debug
- Troubleshooting
- CLI (Command Line Interface) Commands
This article applies to ScreenOS 4.0 and higher.
To use the VPN troubleshooting and debug commands, perform the following steps:
Open the Command Line Interface (CLI). For more information on how to open the CLI, go to Accessing the Command Line Interface Using Telnet.
Enter any of the following commands; then press ENTER.
| get ike gateway | This command shows the IKE gateway configuration and the Phase 1 proposal. |
| get vpn | This command shows the VPN association with the IKE gateway and the Phase 2 proposal. |
| get policy | Use this command to examine the correct policy setting for VPN traffic. |
| get ike cookie | This command shows you if the Phase 1 negotiation is successful. If there is no active IKE cookie present, Phase 1 is not established. |
| get event | Use this command to examine the status of the Phase 1 and Phase 2 negotiations. |
| get sa | Use this command to examine the security association. |
| debug Iike | This command allows you to set a different level of the IKE debug message. |
| debug vpn | This command allows you to set the VPN debug level. |
| get dbuf stream | Use this command to retrieve all data from the debug buffer on the console. |
Additional Information:
When troubleshooting the VPN connection:
- Initiate a ping traffic from initiator first,
- perform the debug on the VPN terminator to ensure the debug accuracy.
Installation
