Knowledge Search


×
 

[Archive] [ScreenOS] Useful VPN Troubleshooting and Debug Commands

  [KB6283] Show Article Properties


Summary:
Useful VPN Troubleshooting and Debug Commands

For the latest VPN technical documentation, refer to Concepts & Examples - ScreenOS Reference Guide - Virtual Private Networks.
Symptoms:

Environment:

  • VPN (Virtual Private Network)
  • Debug
  • Troubleshooting
  • CLI (Command Line Interface) Commands

Cause:

Solution:

Note: This article applies to ScreenOS 4.0 and higher.

To use the VPN troubleshooting and debug commands, perform the following steps:

  1. Open the Command Line Interface (CLI). For more information on how to open the CLI, go to Accessing the Command Line Interface Using Telnet.
  2. Enter any of the following commands; then press ENTER.

     

     get ike gatewayThis command shows the IKE gateway configuration and the Phase 1 proposal.
     get vpnThis command shows the VPN association with the IKE gateway and the Phase 2 proposal.
     get policyUse this command to examine the correct policy setting for VPN traffic.
     get ike cookieThis command shows you if the Phase 1 negotiation is successful. If there is no active IKE cookie present, Phase 1 is not established.
     get eventUse this command to examine the status of the Phase 1 and Phase 2 negotiations.
     get saUse this command to examine the security association.
     debug ikeThis command allows you to set a different level of the IKE debug message.
     debug vpnThis command allows you to set the VPN debug level.(Command not present on 6.3.0 and above)
     get dbuf streamUse this command to retrieve all data from the debug buffer on the console.


Additional Information:

When troubleshooting the VPN connection: 

  1. Initiate a ping traffic from initiator first, 
  2. perform the debug on the VPN terminator to ensure the debug accuracy.

Related Links: