The VPN Diagnostic Report contains information that can help you troubleshoot VPN connectivity and routing issues. You can run this report while you send traffic through the tunnel to identify VPN issues. For some types of issues, the report contains information about how to resolve the issue.
Run a VPN Diagnostic Report
You can run the VPN diagnostic report from WatchGuard Cloud or from Fireware Web UI. For information about how to run this report from Fireware Web UI, see Run a VPN Diagnostic Report on a Cloud-Managed Firebox.
To run the VPN Diagnostic Report, from WatchGuard Cloud:
- Select Monitor > Devices.
- Select a Firebox.
The Device Summary page for the selected Firebox opens.
- Select Live Status > VPN.
The VPN page opens.
- Click the name of the VPN you want to troubleshoot.
The Branch Office VPN details page opens.
- To run the VPN diagnostic report, click Debug.
- Review the content of the report as described in the next section.
VPN Diagnostic Report Details
The VPN Diagnostic Report includes information about the VPN configuration and the status of any active tunnels for the selected gateway.
The VPN Diagnostic Report includes these sections:
This is the complete report summary and can include information about actions you can take to resolve any issues identified by the report. For each tunnel route, the report shows whether the tunnel route was established, whether traffic was detected after the report started, and error messages related to the tunnel. Some error messages include information about what you can do to correct a problem with the VPN tunnel.
This is a summary of the gateway configuration and each configured gateway endpoint.
This is a summary of the tunnel configuration for all tunnels that use the selected gateway. This includes both active and inactive tunnels.
Run-time Info (bvpn routes)
This section appears only when you run the diagnostic report for a branch office VPN virtual interface. It includes the static and dynamic routes that use the BOVPN virtual interface and the metric for each route.
Run-time Info (gateway IKE_SA)
The status of the IKE (Phase 1) security association for the gateway.
Run-time Info (tunnel IPSEC_SA)
The status of the IPSec tunnel (Phase 2) security association for active tunnels that use the gateway.
Run-time Info (tunnel IPSec_SP)
The status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the gateway.
Address Pairs in Firewalld
The status of the address pairs for each tunnel. This section does not appear when you run the report for a branch office VPN virtual interface or for a BOVPN on a cloud-managed Firebox.
Policy checker result
The policies that manage inbound and outbound traffic for each tunnel route.
If tunnel negotiation occurs while the Diagnostic Report runs, the tunnel negotiation log messages appear in this section. If the remote device attempts to negotiate or rekey the tunnel while the report runs, the log messages that appear in this section include more informative details.