Use the VPN Diagnostic Report
You can run the VPN Diagnostic Report to see configuration and status information about a gateway and its associated tunnels over a short period of time. This is helpful when you want to troubleshoot a branch office VPN tunnel problem. When you run the VPN Diagnostic Report, the diagnostic log level temporarily increases to the Information level for VPN IKE messages, so that any useful log messages can be captured in the report.
The finished report shows the gateway and tunnel configuration, and information about the status of any active tunnels for the selected gateway. If a problem was found, it can also provide a recommendation about what to try next.
When you run the VPN Diagnostic Report, your Firebox can automatically attempt to correct some types of problems found in the processes that make the VPN function. This does not change the configured VPN settings. If the Firebox attempts to correct a problem, the Conclusion section of the VPN Diagnostic Report indicates that an attempt was made to correct a problem, and might include a recommendation to run the report again or take some other action.
For more information about some of the log messages generated by your Firebox, see the Fireware Log Catalog, available on the WatchGuard Firebox and Dimension documentation page.
Run the VPN Diagnostic Report
You can run the VPN Diagnostic Report from Fireware Web UI or Firebox System Manager. To see the most complete and useful diagnostic messages, run the report while the remote gateway endpoint attempts to initiate the VPN negotiation. For more information, go to Monitor and Troubleshoot BOVPN Tunnels.
Run the Report from Fireware Web UI
From Fireware Web UI, you can run the VPN Diagnostic Report from three locations:
- System Status > VPN Statistics page, Debug tab
Select the gateway to include in the report and the duration to run the report.
- System Status > VPN Statistics page, Branch Office VPN tab
From any gateway or tunnel, you can start the report for the selected gateway.
- System Status > Diagnostics page, VPN tab
Select the gateway to include in the report and the duration to run the report.
For more information about how to run the VPN Diagnostic Report from either tab on the VPN Statistics page, go to Run VPN Statistical Reports.
For more information about how to run the VPN Diagnostic Report from the Diagnostics page, go to Run the VPN Diagnostic Report.
Run the Report from Firebox System Manager
From Firebox System Manager, you can run the VPN Diagnostic Report from two locations:
- Front Panel tab
Select a VPN interface or gateway and right-click it to start the report.
- Diagnostic Tasks dialog box
Select the gateway to include in the report and the duration to run the report.
For more information about how to run the VPN Diagnostic Report from Firebox System Manager, go to Run Diagnostic Tasks to Learn More About Log Messages.
Read the VPN Diagnostic Report
The BOVPN Diagnostic Report includes these sections:
Conclusion
This is the complete report summary and can include information about actions you can take to resolve any issues identified by the report. For each tunnel route, the report shows whether the tunnel route was established, whether traffic was detected after the report started, and error messages related to the tunnel. Some error messages include information about what you can do to correct a problem with the BOVPN tunnel.
Gateway Summary
This is a summary of the gateway configuration and each configured gateway endpoint.
Tunnel Summary
This is a summary of the tunnel configuration for all tunnels that use the selected gateway. This includes both active and inactive tunnels.
Run-time Info (bvpn routes)
This section appears only when you run the diagnostic report for a branch office VPN virtual interface. It includes the static and dynamic routes that use the BOVPN virtual interface and the distance for each route. In Fireware v12.9 or higher, the Distance setting replaces the Metric setting.
Run-time Info (gateway IKE_SA)
The status of the IKE (Phase 1) security association for the gateway.
Run-time Info (tunnel IPSEC_SA)
The status of the IPSec tunnel (Phase 2) security association for active tunnels that use the gateway.
Run-time Info (tunnel IPSec_SP)
The status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the gateway.
Address Pairs in Firewalld
The status of the address pairs for each tunnel. This section does not appear when you run the report for a branch office VPN virtual interface or for a BOVPN on a cloud-managed Firebox.
Policy checker result
The policies that manage inbound and outbound traffic for each tunnel route.
Related Logs
If tunnel negotiation occurs while the Diagnostic Report runs, the tunnel negotiation log messages appear in this section. If the remote device attempts to negotiate or rekey the tunnel while the report runs, the log messages that appear in this section include more informative details.