Useful VPN Troubleshooting and Debug Commands

For the latest VPN technical documentation, refer to Concepts & Examples - ScreenOS Reference Guide - Virtual Private Networks.

Environment:

• VPN (Virtual Private Network)
• Debug
• Troubleshooting
• CLI (Command Line Interface) Commands

This article applies to ScreenOS 4.0 and higher.

To use the VPN troubleshooting and debug commands, perform the following steps:

1. Open the Command Line Interface (CLI). For more information on how to open the CLI, go to Accessing the Command Line Interface Using Telnet.
2. Enter any of the following commands; then press ENTER.

    

   get ike gateway	This command shows the IKE gateway configuration and the Phase 1 proposal.
   get vpn	This command shows the VPN association with the IKE gateway and the Phase 2 proposal.
   get policy	Use this command to examine the correct policy setting for VPN traffic.
   get ike cookie	This command shows you if the Phase 1 negotiation is successful. If there is no active IKE cookie present, Phase 1 is not established.
   get event	Use this command to examine the status of the Phase 1 and Phase 2 negotiations.
   get sa	Use this command to examine the security association.
   debug ike	This command allows you to set a different level of the IKE debug message.
   debug vpn	This command allows you to set the VPN debug level.(Command not present on 6.3.0 and above)
   get dbuf stream	Use this command to retrieve all data from the debug buffer on the console.

Additional Information:

When troubleshooting the VPN connection: 

1. Initiate a ping traffic from initiator first, 
2. perform the debug on the VPN terminator to ensure the debug accuracy.