Knowledge Search


×
 

[Includes video] How to configure syslog to display VPN status messages

  [KB10097] Show Article Properties


Summary:

This article provides a video and text instructions on how to configure a log file, called kmd-logs, that only contains VPN status (KMD) messages.  This is helpful for troubleshooting a VPN that is down or not active.


Symptoms:

VPN is not active.  How do I capture VPN daemon (KMD) messages in order to troubleshoot the problem faster?


Cause:

Solution:

Go to the KBTV video or text instructions below:

Video format:


Text format:

A VPN issue can be resolved faster by capturing and reviewing the logs on the responder VPN device. The responder is the "receiver" side of the VPN that is receiving the tunnel set up requests. The initiator is the side of the VPN from which the initial IKE session is generated.  In the case of a Remote Access IPsec VPN (which is a VPN between a Juniper VPN device and a PC client running IPsec software), the initiator is always the PC and the responder is the Juniper VPN device.

On the responder VPN device, perform either of the instructions below, depending on your Junos OS version:


Junos 11.4R3 and above

In Junos 11.4R3 and above, VPN status messages are written to the daemon facility at the 'info' level.  If your configuration is using the default system syslog configuration which is 'critical', the 'info' VPN status messages will not be captured and viewable with 'show system syslog'.

Therefore, perform these steps on the responder side to capture the 'info' VPN status messages.

1.  First, configure a new syslog file kmd-logs which matches on the uppercase text:  KMD

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

Note: The filename is kmd-logs; it is important that you do not name the file kmd, as the IKE debugs are written to the file kmd.

2.  Then attempt to bring the VPN tunnel up again (so that the VPN status messages are logged to kmd-logs).

3.  View the VPN status messages with the command: 

> show log kmd-logs

The file kmd-logs in written to the /var/log directory. 

Example VPN status message:
Jul 10 16:14:00  210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.2.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2


Junos 11.4R2 and below

Note:  The video does not include these instructions.

For Junos 11.4R2 and below, perform these steps on the responder side:

CLI:

Run the command:  show log kmd
To display information for a specific VPN, use the pipe ( | ) and match or find commands to include the IP address of the VPN Peer Gateway (the initiator’s IP address). For example: 

> show log kmd | match 1.1.1.2  or  show log kmd | find 1.1.1.2 

Where 1.1.1.2 is the VPN Peer Gateway IP Address.

J-Web:

1.  To display the VPN Events (Status Messages) via J-Web, navigate to the following location:

   Monitor> Events and Alarms > View Events

2.  Enter the Peer Gateway's IP address in the Text in Event Description box to help narrow down the event log to only messages related to the VPN peer. 

Then click OK to view the results.
 

For information on how to analyze these messages, refer to:

KB10101 - How to analyze IKE Phase 1 VPN status messages
KB10099 - How to analyze IKE Phase 2 VPN status messages


Related Links: