Palo Alto Networks Knowledgebase: Advanced VPN IPSec troubleshooting 8.0 (enable debugging per VPN peer)

Advanced VPN IPSec troubleshooting 8.0 (enable debugging per VPN peer)

19415
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM
VPNs
Resolution

Starting from PAN-OS 8.0, we can enable IPSec VPN specific debugs per peer:

 

Pre PAN-OS 8.0

  admin@PA-VM-7.1> debug ike 
> global   global
> pcap     pcap
> socket   socket
> stat     show IKE daemon statistics

 

 

Post PAN-OS 8.0

 admin@PA-VM-8.0> debug ike
> gateway   debug IKE gateway
> global    global
> pcap      pcap
> socket    socket
> stat      show IKE daemon statistics
> tunnel    debug IPSec tunnel

 

Using the " gateway " or " tunnel " keyword you can enable the logs per VPN gateway or IPSEC tunnel

Example:

 admin@PA-VM-8.0> debug ike gateway IKE-GW-HQ
> clear   clear IPSec tunnel statistics
> off     Turn off IPSec tunnel debug logging
> on      Turn on IPSec tunnel debug logging
> stats   show IPSec tunnel statistics

admin@PA-VM-8.0> debug ike gateway IPSEC-HQ
> clear   clear IPSec tunnel statistics
> off     Turn off IPSec tunnel debug logging
> on      Turn on IPSec tunnel debug logging
> stats   show IPSec tunnel statistics

 

Note:

- debug filters can be enabled for up to 5 IKE Gateways and/or IPSEC tunnels

 

 

For more information about VPN IPSEC troubleshooting check https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Troubleshoot-IPSec-VPN-connectivity-issues/ta-p/59187



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcKCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language