Troubleshooting VPN
With the tools we have explained, we are able to troubleshoot VPN connections. We can start with SSL VPN debugging and follow the steps suggested in the Debugging FortiGate configurations document (http://docs.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html). The steps are as follows:
Verify the current debug configuration with the
diagnose debug infocommand.Display debug messages for SSL VPN using the
diagnose debug application sslvpn -1command.Use
diagnose debug enableto display debug messages.
Any error will be shown on screen. To debug an IPSEC site-to-site VPN connection, a good list of steps is the one posted by Yuri Slobodyanyuk in his blog: http://bit.ly/hzREm1. The steps are as follows:
Open an SSH session on the FortiGate unit.
Execute
diagnose debug enableto enable debugging.Execute
diagnose debug app ike -1to verify IKE errors.Execute
diagnose sniffer packet any <IP of the remote LAN>to activate packet sniffing.Open...
