Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Includes video] How to configure syslog to display VPN status messages

0

0
Article ID: KB10097 KB Last Updated: 20 Jan 2021Version: 10.0 Summary:
 

This article provides video and text instructions on how to configure a log file, called kmd-logs, which contains only VPN status (KMD) messages. This is helpful for troubleshooting a VPN that is down or not active.

 

Symptoms:
 

VPN is not active. How do I capture VPN daemon (KMD) messages in order to troubleshoot the problem faster?

 

Solution:
 

Go to the KBTV video or text instructions below:

Video format

 

Text format

A VPN issue can be resolved faster by capturing and reviewing the logs on the responder VPN device. The responder is the "receiver" side of the VPN that is receiving the tunnel setup requests. The initiator is the side of the VPN from which the initial IKE session is generated. In the case of a Remote Access IPsec VPN (which is a VPN between a Juniper VPN device and a PC client running the IPsec software), the initiator is always the PC and the responder is the Juniper VPN device.

On the responder VPN device, perform the following actions:

VPN status messages are written to the daemon facility at the "info" level. If your configuration is using the default system syslog configuration, which is "critical," the "info" VPN status messages will not be captured and viewable with show system syslog.

Therefore, perform these steps on the responder side to capture the "info" VPN status messages.

  1. First, configure a new syslog file, kmd-logs, which matches on the uppercase text KMD.

# set system syslog file kmd-logs daemon info
# set system syslog file kmd-logs match KMD
# commit

Note: The filename is kmd-logs; it is important that you do not name the file kmd, because the IKE debugs are written to the file kmd.

  1. Then attempt to bring the VPN tunnel up again (so that the VPN status messages are logged to kmd-logs).

  2. View the VPN status messages with the following command:

> show log kmd-logs

The file kmd-logs is written to the /var/log directory. 

Example VPN status message

Jul 10 16:14:00  210-2 kmd[52472]: IKE Phase-2: Failed to match the peer proxy IDs [p2_remote_proxy_id=ipv4_subnet(any:0,[0..7]=192.168.2.0/24), p2_local_proxy_id=ipv4_subnet(any:0,[0..7]=10.10.10.0/24)] for local ip: 2.2.2.1, remote peer ip:2.2.2.2
 

To enable VPN (IKE/IPsec) traceoptions only for specific Security Associations (SAs), refer to KB19943 - How to enable VPN (IKE/IPsec) traceoptions for specific SAs (Security Associations).

For information on how to analyze these IKE/IPsec messages, refer to:

 

Modification History:
 

2020-03-20: Article reviewed for accuracy; no changes required.

2020-05-05: fixed broken link.

2021-01-20: Added link to article on per-tunnel debug and responder/initiator differentiation

 

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search