You can use the VPN Diagnostic Report to see configuration and status information about a gateway and its associated tunnels for a period of time. This is helpful if you want to troubleshoot a branch office VPN tunnel problem.
To run the VPN diagnostic report:
The Firebox or XTM device temporarily increases the log level for the selected gateway and collects log messages for the specified duration. The finished report shows the gateway and tunnel configuration, and information about the status of any active tunnels for the selected gateway.
The VPN Diagnostic Report presents information in six sections:
This section shows a summary of the gateway configuration, and each configured gateway endpoint.
This section shows a summary of the tunnel configuration for all tunnels that use the selected gateway. This includes both active and inactive tunnels.
Run-time Info (bvpn routes)
When you run the diagnostic report for a BOVPN virtual interface, this section shows the static and dynamic routes that use the selected BOVPN virtual interface, and the metric for each route.
Run-time Info (gateway IKE_SA)
This section shows information about the status of the IKE (Phase 1) security association for the selected gateway.
Run-time Info (tunnel IPSEC_SA)
This section shows information about the status of the IPSec tunnel (Phase 2) security association for active tunnels that use the selected gateway.
Run-time Info (tunnel IPSec_SP)
This section shows information about the status of the IPSec tunnel (Phase 2) security policy for active tunnels that use the selected gateway.
This section shows tunnel negotiation log messages, if a tunnel negotiation occurs during the time period that you run the diagnostic report. This section can show more informative log messages if the remote device attempts to negotiate or rekey the tunnel while the report runs.
Filter Branch Office VPN Log Messages
Use the BOVPN Configuration Reports