vpn debug

Description

Instructs the VPN daemon vpnd to write debug messages to the $FWDIR/log/vpnd.elg* and $FWDIR/log/ike.elg* log files.

Debugging of the VPN daemon takes place according to Debug Topics and Debug Levels:

  • A Debug Topic is a specific area, on which to perform debugging.

    For example, if the Debug Topic is LDAP, all traffic between the VPN daemon and the LDAP server is written to the log file.

    Check Point Support provides the specific Debug Topics when needed.

  • Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).

For more information, see sk180488.

Syntax

vpn debug

      on [<Debug_Topic>=<Debug_Level>]

      off

      ikeon [-s <Size_in_MB>]

      ikeoff

      trunc [<Debug_Topic>=<Debug_Level>]

      truncon [<Debug_Topic>=<Debug_Level>]

      truncoff

      timeon [<Seconds>]

      timeoff

      ikefail [-s <Size_in_MB>]

      mon

      moff

      say ["String"]

      tunnel [<Level>]

Parameters

Parameter

Description

No Parameters

Shows the built-in usage.

on

Turns on high level VPN debug.

Information is written in the $FWDIR/log/vpnd.elg* files.

<Debug_Topic>=<Debug_Level>

Specifies the Debug Topic and the Debug Level.

Check Point Support provides these.

Best Practice - Run this command to start the debug:

vpn debug trunc ALL=5

off

Turns off all VPN debug.

Best Practice - Run one of these commands to stop the VPND debug:

vpn debug off

vpn debug truncoff

ikeon [-s <Size_in_MB>]

Turns on the IKE debug.

Information is written in the $FWDIR/log/ike.elg* files.

You can specify the size of the $FWDIR/log/ike.elg file, when to perform the log rotation (close the current active file, rename it, open a new active file).

ikeoff

Turns off IKE debug.

Run this command to stop the IKE debug:

vpn debug ikeoff

trunc

or

truncon

This command:

  1. Rotates the $FWDIR/log/vpnd.elg file

  2. Truncates the $FWDIR/log/ike.elg file

  3. Starts the VPND daemon debug

  4. Starts the IKE debug

Run this command to start the debug:

vpn debug trunc ALL=5

truncoff

Stops the VPND daemon debug.

Run one of these commands to stop the VPND debug:

vpn debug truncoff

vpn debug off

timeon [<Seconds>]

Enables the timestamp in the log files.

Prints one timestamp after the specified number of seconds.

By default, prints the timestamp every 10 seconds.

timeoff

Disables the timestamp in the log files every number of seconds.

ikefail [-s <Size_in_MB>]

Logs failed IKE negotiations.

You can specify the size of the $FWDIR/log/ike.elg file, when to perform the log rotation (close the current active file, rename it, open a new active file).

mon

Enables the IKE Monitor.

Saves the IKE packets in the $FWDIR/log/ikemonitor.snoop file.

Warning - The output file may contain user X-Auth passwords. Make sure the file is protected.

moff

Disables the IKE Monitor.

say "String"

Saves the specified text string in the $FWDIR/log/vpnd.elg file.

For example, run: vpn debug say "BEGIN TEST"

Notes:

  • Run this command after you start the VPN debug (with one of these commands: "vpn debug on", "vpn debug trunc", or "vpn debug truncon").

  • The length of the string is limited to 255 characters.

tunnel [<Debug_Level>]

This command:

  1. Rotates the $FWDIR/log/vpnd.elg file

  2. Truncates the $FWDIR/log/ike.elg file

  3. Starts the VPND daemon debug with these two Debug Topics:

    tunnel

    ikev2

    If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:

    CRLCache

  4. Starts the IKE debug

Return Values

  • 0 (zero) for success

  • any other value for failure (typically, -1 or 1)