Useful VPN Troubleshooting and Debug Commands
For the latest VPN technical documentation, refer to
Concepts & Examples - ScreenOS Reference Guide - Virtual Private Networks.
This article applies to ScreenOS 4.0 and higher.
To use the VPN troubleshooting and debug commands, perform the following steps:
- Open the Command Line Interface (CLI). For more information on how to open the CLI, go to Accessing the Command Line Interface Using Telnet.
- Enter any of the following commands; then press ENTER.
get ike gateway | This command shows the IKE gateway configuration and the Phase 1 proposal. |
get vpn | This command shows the VPN association with the IKE gateway and the Phase 2 proposal. |
get policy | Use this command to examine the correct policy setting for VPN traffic. |
get ike cookie | This command shows you if the Phase 1 negotiation is successful. If there is no active IKE cookie present, Phase 1 is not established. |
get event | Use this command to examine the status of the Phase 1 and Phase 2 negotiations. |
get sa | Use this command to examine the security association. |
debug ike | This command allows you to set a different level of the IKE debug message. |
debug vpn | This command allows you to set the VPN debug level.(Command not present on 6.3.0 and above) |
get dbuf stream | Use this command to retrieve all data from the debug buffer on the console. |
Additional Information:
When troubleshooting the VPN connection:
- Initiate a ping traffic from initiator first,
- perform the debug on the VPN terminator to ensure the debug accuracy.