Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


traceoptions (Security IKE)


Hierarchy Level


Configure IKE tracing options to aid in troubleshooting the IKE issues. This helps troubleshoot one or multiple tunnels negotiation by standard tracefile configuration. IKE tracing allows the user to view the detailed packet exchange and the negotiation information in Phase 1 and Phase 2. IKE tracing is not enabled by default. By default , all IKE or IPsec negotiations are logged into /var/log/kmd. But user can also specify customized file name while configuring the IKE traceoptions.


  • file—Configure the trace file options.

    • filename—Name of the file to receive the output of the tracing operation. Enclose the name within quotation marks. All files are placed in the directory /var/log.

      Default: kmd

    • files number—Maximum number of trace files. When a trace file named trace-file reaches its maximum size, it is renamed to trace-file.0, then trace-file.1, and so on, until the maximum number of trace files is reached. The oldest archived file is overwritten.

      If you specify a maximum number of files, you also must specify a maximum file size with the size option and a filename.

      Range: 2 through 1000 files

      Default: 10 files

    • match regular-expression—Refine the output to include lines that contain the regular expression.

    • size maximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes (MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is renamed trace-file.0. When the trace-file again reaches its maximum size, trace-file.0 is renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme continues until the maximum number of trace files is reached. Then the oldest trace file is overwritten.

      If you specify a maximum file size, you also must specify a maximum number of trace files with the files option and filename.

      Syntax: x k to specify KB, x m to specify MB, or x g to specify GB

      Range: 10 KB through 1 GB

      Default: 1024 KB

    • world-readable | no-world-readable—By default, log files can be accessed only by the user who configures the tracing operation. The world-readable option enables any user to read the file. To explicitly set the default behavior, use the no-world-readable option.

  • level—Specify the log levels.

    • critical—Log single point failures which needs your immediate attention

    • error—Log fatal application errors

    • terse—Log syslog messages

    • warning—Log recoverable errors

    • detail—Log all operational information

  • flag—Trace operation to perform. To specify more than one trace operation, include multiple flag statements.

    • all—Trace all iked process modules activity

    • certificates—Trace certificate-related activity

    • config—Trace configuration download processing

    • database—Trace VPN-related database activity

    • general—Trace general activity

    • high-availability—Trace high-availability operations

    • ike—Trace IKE protocol activity

    • next-hop-tunnels—Trace next-hop tunnels operations

    • parse—Trace VPN parsing activity

    • policy-manager—Trace iked callback activity

    • routing-socket—Trace routing socket activity

    • thread—Trace thread processing

    • timer—Trace timer activity

    By default, the flag statement is not set. You need to explicitly configure the flag statement to perform trace operation.

  • no-remote-trace—Set remote tracing as disabled.

  • rate-limit messages-per-second—Configure the incoming rate of trace messages.

    Range: 0 through 4,294,967,295

    Default: 0

Required Privilege Level

trace—To view this statement in the configuration.

trace-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

level options introduced in Junos OS Release 21.1R1.