Fortinet white logo
Fortinet white logo

Cookbook

Understanding VPN related logs

Understanding VPN related logs

This section provides some IPsec log samples.

IPsec phase1 negotiating
logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="e41eeecb2c92b337/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local" mode="aggressive" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase1 negotiated
logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="e41eeecb2c92b337/1230131a28eb4e73" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local"
mode="aggressive" dir="outbound" stage=2 role="initiator" result="DONE"
IPsec phase1 tunnel up
logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910918 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0
IPsec phase2 negotiate
logid="0101037129" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" status="success" init="local"
mode="quick" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase2 tunnel up
logid="0101037139" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action="phase2-up"
remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"
phase2_name="to_HQ"
IPsec phase2 sa install
logid="0101037133" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec SA installed" msg="install IPsec SA" action="install_sa" remip=11.101.1.1 locip=173.1.1.1
remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" role="initiator" in_spi="ca646448" out_spi="747c10c6"
IPsec tunnel statistics
logid="0101037141" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544131118 logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf="mgmt1" cookies="3539884dbd8f3567/c32e4c1beca91b36"
user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="L2tpoIPsec_0" tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype="ipsec" duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60
IPsec phase2 tunnel down
logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-down" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910786 tunneltype="ipsec" duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0
IPsec phase1 sa deleted
logid="0101037134" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"

Understanding VPN related logs

Understanding VPN related logs

This section provides some IPsec log samples.

IPsec phase1 negotiating
logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="e41eeecb2c92b337/0000000000000000" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local" mode="aggressive" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase1 negotiated
logid="0101037127" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="Progress IPsec phase 1" msg="progress IPsec phase 1" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="e41eeecb2c92b337/1230131a28eb4e73" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="to_HQ" status="success" init="local"
mode="aggressive" dir="outbound" stage=2 role="initiator" result="DONE"
IPsec phase1 tunnel up
logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910918 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0
IPsec phase2 negotiate
logid="0101037129" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action="negotiate" remip=11.101.1.1
locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" status="success" init="local"
mode="quick" dir="outbound" stage=1 role="initiator" result="OK"
IPsec phase2 tunnel up
logid="0101037139" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec phase 2 status changed" msg="IPsec phase 2 status change" action="phase2-up"
remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"
phase2_name="to_HQ"
IPsec phase2 sa install
logid="0101037133" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132604 logdesc="IPsec SA installed" msg="install IPsec SA" action="install_sa" remip=11.101.1.1 locip=173.1.1.1
remport=500 locport=500 outintf="port13" cookies="5b1c59fab2029e43/bf517e686d3943d2" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" role="initiator" in_spi="ca646448" out_spi="747c10c6"
IPsec tunnel statistics
logid="0101037141" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544131118 logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf="mgmt1" cookies="3539884dbd8f3567/c32e4c1beca91b36"
user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="L2tpoIPsec_0" tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype="ipsec" duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60
IPsec phase2 tunnel down
logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-down" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ" tunnelip=N/A tunnelid=1530910786 tunneltype="ipsec" duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0
IPsec phase1 sa deleted
logid="0101037134" type="event" subtype="vpn" level="notice" vd="root" eventtime=1544132571 logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa" remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf="port13" cookies="30820aa390687e39/886e72bf5461fb8d" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=11.11.11.1 vpntunnel="to_HQ"