Debugging VPN

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

Instructs the VPN daemon vpnd to write debug messages to the applicable log files.

Debugging of the VPN daemon takes place according to Debug Topics and Debug Levels:

  • A Debug Topic is a specific area, on which to perform debugging.

    For example, if the Debug Topic is "LDAP", all traffic between the VPN daemon and the LDAP server is written to the log file.

    Check Point Support provides the specific Debug Topics when needed.

  • Debug Levels range from 1 (least informative) to 5 (most informative - write all debug messages).

Important - For the complete VPN debug procedure, follow sk62482.

Syntax

vpn debug

      on [<Debug_Topic>=<Debug_Level>]

      off

      ikeon [-s <Size_in_MB>]

      ikeoff

      trunc [<Debug_Topic>=<Debug_Level>]

      truncon [<Debug_Topic>=<Debug_Level>]

      truncoff

      timeon [<Seconds>]

      timeoff

      ikefail [-s <Size_in_MB>]

      mon

      moff

      say ["String"]

      tunnel [<Level>]

Parameters

Parameter

Description

No Parameters

Shows the built-in usage.

on

Starts only the VPND daemon debug (a high level debug).

The VPND daemon debug writes the information in these files:

  • In versions R81.10.10 and higher:

    $FWDIR/log/iked‎.elg*

  • In versions R81.10.00 - R81.10.08:

    $FWDIR/log/sfwd‎.elg*

<Debug_Topic>=<Debug_Level>

Specifies the Debug Topic and the Debug Level.

Check Point Support provides these.

Best Practice - Run this command to start the VPND daemon debug and the IKE debug:

vpn debug trunc ALL=5

off

Stops the VPND daemon debug and the IKE debug.

Best Practice - Run one of these commands to stop the VPND daemon debug and the IKE debug:

vpn debug off

vpn debug truncoff

ikeon [-s <Size_in_MB>]

Starts only the IKE debug.

The IKE debug writes the information in these files:

  • In versions R81.10.10 and higher:

    ‎$FWDIR/log/ike.elg*

    $FWDIR/log/ikev2.xmll*

  • In versions R81.10.00 - R81.10.08:

    $FWDIR/log/legacy_ike.elg*

    ‎‎$FWDIR/log/legacy_ikev2.xmll*‎

You can specify the size of the log file, when to perform the log rotation (close the current active file, rename it, open a new active file).

ikeoff

Stops only the IKE debug.

Run this command to stop the IKE debug:

vpn debug ikeoff

trunc

or

truncon

  • In versions R81.10.10 and higher, this command:

    1. Rotates these log files:
      $FWDIR/log/ike‎.elg

      $FWDIR/log/iked‎.elg

      $FWDIR/log/ikev2.xmll‎

    2. Starts the VPND daemon debug

    3. Starts the IKE debug

  • In versions R81.10.00 - R81.10.08, this command:

    1. Rotates this log file:
      $FWDIR/log/sfwd.elg

    2. Truncates these log files:

      $FWDIR/log/legacy_ike.elg

      ‎‎$FWDIR/log/legacy_ikev2.xmll‎

    3. Starts the VPND daemon debug

    4. Starts the IKE debug

Run this command to start the VPND daemon debug and the IKE debug:

vpn debug trunc ALL=5

truncoff

Stops the VPND daemon debug and the IKE debug.

Best Practice - Run one of these commands to stop the VPND daemon debug and the IKE debug:

vpn debug truncoff

vpn debug off

timeon [<Seconds>]

Enables the periodic timestamp in the log files.

Prints one timestamp after the specified number of seconds.

By default, prints the timestamp every 10 seconds.

timeoff

Disables the periodic timestamp in the log files every number of seconds.

ikefail [-s <Size_in_MB>]

Logs failed IKE negotiations.

You can specify the size of the log file (see below), when to perform the log rotation (close the current active file, rename it, open a new active file).

  • In versions R81.10.10 and higher:

    ‎$FWDIR/log/ike.elg

  • In versions R81.10.00 - R81.10.08:

    $FWDIR/log/legacy_ike.elg

mon

Enables the IKE Monitor.

Saves the IKE packets in the $FWDIR/log/ikemonitor.snoop file.

Warning - The output file may contain user "X-Auth" passwords. Make sure to protect this file.

moff

Disables the IKE Monitor.

say "String"

Saves the specified text string in the log file (see below).

For example, run: vpn debug say "BEGIN TEST"

  • In versions R81.10.10 and higher:

    ‎$FWDIR/log/iked.elg

  • In versions R81.10.00 - R81.10.08:

    $FWDIR/log/sfwd.elg

Best Practice - Run this command after you start the VPND daemon debug (with one of these commands: "vpn debug on", "vpn debug trunc", or "vpn debug truncon").

Note - The length of the string is limited to 255 characters.

tunnel [<Debug_Level>]

  • In versions R81.10.10 and higher, this command:

    1. Rotates this log file:
      $FWDIR/log/ike‎d.elg

    2. Truncates this log file:

      $FWDIR/log/ike‎.elg

    3. Starts the VPND daemon debug with these two Debug Topics:

      tunnel

      ikev2

      If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:

      CRLCache

    4. Starts the IKE debug

  • In versions R81.10.00 - R81.10.08, this command:

    1. Rotates this log file:
      $FWDIR/log/sfwd.elg

    2. Truncates this log file:

      $FWDIR/log/legacy_ike.elg

    3. Starts the VPND daemon debug with these two Debug Topics:

      tunnel

      ikev2

      If the <Debug_Level> is 2,3,4 or 5, then also enables this Debug Topic:

      CRLCache

    4. Starts the IKE debug