Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

request security ike debug-enable

Syntax

Description

Enable IKE tracing on a single VPN tunnel specified by a local and a remote IP address. Use of this command is an alternative to configuring IKE traceoptions; you do not require any configuration to use this command. This command only traces a single tunnel, whereas configuring IKE traceoptions affects all VPN tunnels on the SRX Series Firewalls.

Note:

SRX Series Firewalls and MX-SPC3 Services Card supports this command. MX Series device with Multiservices Modular Interfaces Card (MS-MIC) or Multiservices Modular PIC Concentrator (MS-MPC) does not support this command.

To use this command:

  1. Identify the local and remote IP addresses of the VPN tunnel you want to trace.

  2. Enable IKE tracing on the VPN tunnel with this command.

  3. Attempt tunnel establishment to capture trace information to the log file:

    • For the SRX Series Firewalls and vSRX Virtual Firewall running kmd process, the trace information is stored in /var/log/kmd file.

    • For the MX-SPC3 Services Card, SRX Series Firewalls and vSRX Virtual Firewall running iked process (including mixed mode), the trace information is stored in /var/log/iked file.

    If you've configured to save the trace messages into a specific file under the [edit security ike traceoptions] hierarchy level, the trace information is stored in the specified file name.

  4. Disable per-tunnel IKE tracing with the request security ike debug-disable command.

  5. Review the log file with the following command:

    • For the SRX Series Firewalls and vSRX Virtual Firewall running kmd process, execute the show log kmd or the file name specified under the [edit security ike traceoptions] hierarchy level.

    • For the MX-SPC3 Services Card, SRX Series Firewalls and vSRX Virtual Firewall running iked process (including mixed mode), execute the show log iked or the file name specified under the [edit security ike traceoptions] hierarchy level.

You can use the show security ike debug-status command:

  • to view the status of the per-tunnel IKE tracing operation.

  • to view the status of the interchassis link tunnel only.

Options

  • local local-ip-address—The address of the local VPN peer.

  • remote remote-ip-address—The address of the remote VPN peer.

Required Privilege Level

maintenance

Release Information

Command introduced in Junos OS Release 11.4R3.

Related Documentation