Last updated on: June 14 2024.

Enable IPsec Debug

This page describes how to turn on more verbose log debugging. Verbose logs are the easiest way to find ISAKMP negotiation issues. Debug logging will not decode data plane (ESP) packets and so will not help with problems related to user packets in and out of the tunnel.

Debug is sent to:

  • /var/log/ipsec.log

  • /var/log/racoon.log (IKEv1 only)

  • /var/log/tmm*

  • /var/log/tmipsecd

The ipsec.log and the racoon.log are the immediately useful locations.

TL;DR

“debug2” level logging is required for IPsec negotiation troubleshooting. Key logging can be enabled after debug2 mode is enabled. Enabling debug2 mode can cause system problems when the CPU is already under pressure.

Caution!

Debug logging can cause excessive disk writes, which causes extra CPU load. For a handful of tunnels, the impact on CPU is small. For customers that have 30 to 50 IPsec policies in use, administrators should ensure that the existing CPU load is under 70% before enabling debug2 logging. Pushing the CPU over 80% can cause data limited data plane interruptions.

Customers with more than 50 IPsec policies in use may be subject to system instability. The logs become extremely hard to parse due to the volume of messages generated and much faster log rotation. When there is a high tunnel count it is better to use tcpdump to capture packets.

Enable Debug Mode

There are various debug levels for IPsec logs. Levels under debug2 are rarely useful, so by default F5 recommends enabling debug2 for troubleshooting. After troubleshooting, the log level should be returned to the default “info” level.

The command to enable debug2 is tmsh modify net ipsec ike-daemon ikedamon log-level debug2.

To verify the current state, use tmsh list net ipsec ike-daemon ikedamon log-level.

net ipsec ike-daemon /Common/ikedamon {
    log-level debug2
}

To return to the default debug level, use tmsh modify net ipsec ike-daemon ikedamon log-level info

Note, this command used to cause a tunnel restart, but this is no longer the case in current software versions.

Enable Key Logging

If a packet capture is taken, decoding the ISAKMP payloads may be necessary. In order to decode this, key logging must be enabled.

The log level must have first been set to debug2 (see above) for the key information to be logged.

There are several commands:

tmsh modify sys db ipsec.debug.logkeys value 1

tmsh modify sys db ipsec.debug.logsk value 1

tmsh modify sys db ipsec.debug.pfkey.msg value 1

sys db ipsec.debug.logkeys {
   value "1"
}
sys db ipsec.debug.logsk {
   value "1"
}
sys db ipsec.debug.pfkey.msg {
   value "1"
}

Versions prior to 17.1 do not have ipsec.debug.pfkey.msg, so that does not need to be enabled on earlier versions of software.

To use these keys, refer to the Find IPsec Keys and Apply to Wireshark page.

Top | Flowchart | Contents