- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-01-2025 04:08 AM
In PAN-OS 11.1 (running on VM-Series in AWS) I could do `debug ike global on dump` to get some [DEBG] and [DUMP] messages in `ikemgr.log` from which I could get the SK_ei and SK_er keys that allow me to decode the IKEv2 messages in a pcap using Wireshark.
In PAN-OS 11.2.3-h3, it seems that many log messages that used to be logged are no longer logged.
In fact, I don't see any log messages (neither [DEBG] nor [INFO] nor any other level). I still see lots of [DUMP] messages but I cannot make sense of them without the [DEBG] context.
Is there any way to get the ikemgr [DEBG] messages back?
Is there some other (easier) way to extract the SK_ei and SK_er keys from a running VM-Series firewall?
Here is the output of less mp-log ikemgr.log
in PAN-OS 11.1. Note that there are many [DEBG] messages, [INFO] messages, and also messages without any severity label:
2024-12-31 00:35:58.900 -0800 IKE FSM thread: 19877: starting up... 2024-12-31 00:35:58.901 -0800 [INFO]: reading config /etc/vpn/ikemgr.conf 2024-12-31 00:35:58.901 -0800 2024-12-31 00:35:58.901 -0800 IKE sched thread: 19878: starting up... rcf_read start... 2024-12-31 00:35:58.901 -0800 rcf_fix_remote: start... 2024-12-31 00:35:58.901 -0800 rcf_fix_remote: alloc 0 end... 2024-12-31 00:35:58.901 -0800 rcf_fix_selector: start... 2024-12-31 00:35:58.901 -0800 rcf_fix_selector: total 0 end... 2024-12-31 00:35:58.901 -0800 init KA tree 2024-12-31 00:35:58.901 -0800 [INFO]: ++++++++++++++++++++++++++++++++++++++++++++++ IKE DAEMON START on Tue Dec 31 00:35:58 2024 ++++++++++++++++++++++++++++++++++++++++++++++ 2024-12-31 00:35:58.905 -0800 mp_or_dp 0 2024-12-31 00:35:58.905 -0800 sysd worker[0]: 7f1fa13b7700: starting up... 2024-12-31 00:35:58.905 -0800 sysd worker[1]: 7f1fa0fb6700: starting up... 2024-12-31 00:35:58.905 -0800 waiting to be connected to sysd... runtime error File write for /tmp/.bv5C8g refused runtime error xsltApplyStylesheet: forbidden to save to /tmp/.bv5C8g 2024-12-31 00:36:00.904 -0800 Sysd Event: SUCCESS 2024-12-31 00:36:00.905 -0800 connected to sysd... 2024-12-31 00:36:00.912 -0800 Error: pan_dnsproxy_fqdn_sysd_notify_status_cb(pan_dnsproxy_fqdn.c:1515): notify obj sw.dnsproxyd.fqdn-api.iked.status, event update unhandled! 2024-12-31 00:36:00.913 -0800 [INFO]: Memory monitoring disabled 2024-12-31 00:36:00.914 -0800 [INFO]: load 0 certs to cert cache. 2024-12-31 00:36:00.914 -0800 succeed to initialize xslt security preference 2024-12-31 00:36:00.914 -0800 waiting to get last committed configuration 2024-12-31 00:36:01.082 -0800 debug: sysd_msg_send(daemon/panike_sysd_if.c:2646): iked sysd msg enqueue: ike_debug_handler 2024-12-31 00:36:01.502 -0800 last committed configuration available 2024-12-31 00:36:01.502 -0800 ikemgr: panike_daemon phase 1 started, config size 9754 2024-12-31 00:36:01.503 -0800 ikemgr: panike_daemon phase 1 step 2 finished 2024-12-31 00:36:01.509 -0800 ikemgr: panike_daemon phase 1 step 4 finished 2024-12-31 00:36:01.509 -0800 pan IKE cfg phase-1 triggered. 2024-12-31 00:36:01.509 -0800 config file is changed 2024-12-31 00:36:01.509 -0800 [INFO]: loading new config from /tmp/.bv5C8g 2024-12-31 00:36:01.509 -0800 rcf_read start... 2024-12-31 00:36:01.509 -0800 [DEBG]: 'TLSv1.3_Default' doesn't meet IKE CA cert requirement, skipped.2024-12-31 00:36:01.509 -0800 rcf_fix_...skipping... 2024-12-31 00:36:47.340 -0800 [DEBG]: { 1: }: key: 2024-12-31 00:36:47.340 -0800 [DUMP]: 662e0f05 85f10cd8 935c6dc1 f544a087 2024-12-31 00:36:47.340 -0800 [DEBG]: { 1: }: iv: 2024-12-31 00:36:47.340 -0800 [DUMP]: ab34b4b0 6327a4c5 266d6a55 d7db3be6 2024-12-31 00:36:47.340 -0800 [DUMP]: { 1: }: result 0x7f1f9c006cd0 2024-12-31 00:36:47.340 -0800 [DUMP]: { 1: }: result 0x7f1f9c006210 2024-12-31 00:36:47.340 -0800 [DUMP]: { 1: }: ikev2_transmit(0x7f1f9c0030e0, 0x7f1f9c006210) len 300, child id 0 2024-12-31 00:36:47.340 -0800 [DUMP]: { 1: }: transmit 0x7f1f9c003290 2024-12-31 00:36:47.340 -0800 [DEBG]: 10.0.2.11[500] - 10.0.2.22[500]:(nil) 1 times of 300 bytes message will be sent over socket 1024 2024-12-31 00:36:47.340 -0800 [DUMP]: cdc36493 02dab4b0 b093ea9a 3755412d 2e202308 00000001 0000012c 23000110 ab34b4b0 6327a4c5 266d6a55 d7db3be6 665f2996 d7f850a8 ed046d24 b0912bc5 558d2736 4b2019e2 baa02bf6 ea074886 5bfeece6 076d8600 1d45f9af 901e86b2 0d2540ed 162c5c9e f7980387 d4e30366 8ede3050 53c9e8ae 07a69396 2c3f6e86 53256076 94b24dee d1c07d1d bb95a6c7 8f13662b f73786db ee1910be 4de3e715 dad40992 0edfb60f 480c3d1e b04494d0 c1ec2a28 b660badb 46134df9 12ac60a9 a0e301bb f7487d1c 39f4b69b 0c8c159a 3f48f99a 759faef3 28dcf587 a401aedb aa79eec2 1a763aec abe9dd52 241a12d3 175e1474 e319423a 953ddac7 984454dd 4c6e3f00 943af33e 849c1672 a56ae311 ce267b3d 588b70cf 5d386188 efffa10d abf48a40 cbc6839b 71861963 2024-12-31 00:36:47.340 -0800 [DUMP]: { 1: 1}: child_sa 0x7f1f9c024f10 state GETSPI_DONE -> WAIT_RESPONSE [1] parent 0x7f1f9c0030e0(INI_IKE_AUTH_SENT) func ikev2_child_state_set, caller ikev2_child_state_next 2024-12-31 00:36:47.343 -0800 [DEBG]: processing isakmp packet 2024-12-31 00:36:47.343 -0800 [DEBG]: === 2024-12-31 00:36:47.343 -0800 [DEBG]: 204 bytes message received from 10.0.2.22 2024-12-31 00:36:47.343 -0800 [DUMP]: cdc36493 02dab4b0 b093ea9a 3755412d 2e202320 00000001 000000cc 240000b0 851d3157 26dd54a7 71ea42e4 b01dce50 87c21969 7edd98dc 8a5ec9f7 69ecf92b ff130886 2e1a561d 30a50df6 0639d0e2 53d362d2 02707e38 31c80834 ea398aab 2d233245 600fcfaf efe67d40 8fca9ab0 be65caab ab502ff9 da64eeb2 78e255d8 477e6d6d 23c67192 3fd4ccc2 ebf1d686 b168d245 2b1f1c1a dfb3e3d8 5c44967e 076a9b44 4176d4bb ccf6b123 b6f94387 8a6135b1 82d2dc1a 96a052bb e7aa963f da39af59 df4c40c1 3c30e592 2024-12-31 00:36:47.343 -0800 [DUMP]: ikev2_input(0x564a0a977b00, 0x564a0a70a160, 0x564a0a70aa40) 2024-12-31 00:36:47.343 -0800 [DUMP]: ikev2_check_payloads(0x564a0a977b00, 1) 2024-12-31 00:36:47.343 -0800 [DUMP]: offset 0x1c type 46 (ENCRYPTED) len 176 2024-12-31 00:36:47.343 -0800 [DUMP]: processing message version 2.000, message_id 1 Recv Response ...skipping... 2024-12-31 00:36:47.343 -0800 [DEBG]: { 1: }: key: 2024-12-31 00:36:47.343 -0800 [DUMP]: 86aa478b c78b19c3 56ebb063 8dae6d1a 2024-12-31 00:36:47.343 -0800 [DEBG]: { 1: }: iv: 2024-12-31 00:36:47.343 -0800 [DUMP]: 851d3157 26dd54a7 71ea42e4 b01dce50
Here is the output of less mp-log ikemgr.log
in PAN-OS 11.2. Note that the [INFO] and [DEBG] lines are gone, and we are left only with [DUMP] lines from which we cannot determine the SK_ei and SK_er values.
2025-01-01 02:33:47.330 -0800 IKE FSM thread: 19512: starting up... 2025-01-01 02:33:47.330 -0800 init KA tree 2025-01-01 02:33:47.334 -0800 mp_or_dp 0 2025-01-01 02:33:47.334 -0800 sysd worker[1]: 7ff1310e3700: starting up... 2025-01-01 02:33:47.334 -0800 sysd worker[0]: 7ff1314e4700: starting up... runtime error File write for /tmp/.6rtiM7 refused runtime error xsltApplyStylesheet: forbidden to save to /tmp/.6rtiM7 2025-01-01 02:33:49.341 -0800 Error: pan_dnsproxy_fqdn_sysd_notify_status_cb(pan_dnsproxy_fqdn.c:1515): notify obj sw.dnsproxyd.fqdn-api.iked.status, event update unhandled! 2025-01-01 02:33:49.342 -0800 succeed to initialize xslt security preference 2025-01-01 02:33:50.039 -0800 debug: pan_cryptod_sysd_decr(pan_cryptod_sysd_api.c:483): For encrypted key(len=57): 2025-01-01 02:33:50.039 -0800 debug: pan_cryptod_dump_buf(pan_cryptod_sysd_api.c:767): [xxx] ... 2025-01-01 02:33:50.039 -0800 debug: pan_cryptod_sysd_decr(pan_cryptod_sysd_api.c:534): Retrieved plain text(len=10): 2025-01-01 02:33:50.039 -0800 debug: pan_cryptod_dump_buf(pan_cryptod_sysd_api.c:767): [xxx] ... 2025-01-01 02:33:51.051 -0800 debug: pan_ipsec_sock_bind(pan_dp_ipsec.c:39): Bound DP event socket: 8 on MP IP: 127.131.1.1[40465] 2025-01-01 02:33:51.051 -0800 debug: pan_ipsec_sock_bind(pan_dp_ipsec.c:41): Ready to receive events from DP 2025-01-01 02:33:51.052 -0800 Config agent for ikemgr is enabled 2025-01-01 02:34:00.830 -0800 [DUMP]: cc8aff97 696c9883 888d96e3 506ff63b 129eeff4 cbe42214 6d95daf0 d0ba1dff af32646b d832225a 87e172d4 bde28485 2025-01-01 02:34:00.830 -0800 [DUMP]: b1059a1b eb3bdad3 941cfedc 1ca37017 ba2ad4ad c31e9de5 59c4fef9 f188d4b0 d0d4b993 c3779a95 2acc1944 3d3973d0 125e5467 58420800 26362089 92bf6167 c73e3e9e 693a6979 5868685f d5556f40 a5345ff3 b59188a1 1ea118cf 997410e5 2025-01-01 02:34:00.831 -0800 [DUMP]: ad73846f a3f9454b 00000000 00000000 21202208 00000000 000000f9 22000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 02000007 03000008 0300000e 03000008 04000014 00000008 06000438 28000068 00140000 b1059a1b eb3bdad3 941cfedc 1ca37017 ba2ad4ad c31e9de5 59c4fef9 f188d4b0 d0d4b993 c3779a95 2acc1944 3d3973d0 125e5467 58420800 26362089 92bf6167 c73e3e9e 693a6979 5868685f d5556f40 a5345ff3 b59188a1 1ea118cf 997410e5 29000024 5bdaf4dd 6f7e276c d9c0e1f2 878cdbc2 6aec86e1 a456428b 3073b9bb 8238eee2 29000009 00004036 00290000 08000040 2e000000 080000a0 02 2025-01-01 02:34:00.838 -0800 [DUMP]: ad73846f a3f9454b 8b490a7b 91ea286c 21202220 00000000 000000f9 22000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 02000007 03000008 0300000e 03000008 04000014 00000008 06000438 28000068 00140000 88103c3b bde17c31 b9f3572f 6ad15c95 f6efd532 2b0b2286 17a739aa 3525276c ba22bb86 61618e22 e833f1cc 64ba4cf0 41b46c2b 84a76eff 26cbc99b 2aebe573 552a3063 d616bcc8 9b290b7b 14c931da c84c4668 b32066a9 81e4babd ffe50dac 29000024 2c6ad552 1a28cd8e 39a14225 eccc066f b9d1e837 7627bbda 1ab593ce 2ea1c5cf 29000008 0000402e 29000008 0000a002 00000009 00004036 00
01-04-2025 02:27 AM
In PAN-OS 11.1 all messages were logged in file ikemgr.log.
In PAN-OS 11.2 most messages (including [DEBG] and [INFO] messages) are logged to a different file, namely ikemgr-ng.log. However, [DUMP] message are still written to the old file ikemgr.log.
See the following discussion for more details on the implications of this on determining SK_ei and SK_er from the logs:
01-04-2025 02:27 AM
In PAN-OS 11.1 all messages were logged in file ikemgr.log.
In PAN-OS 11.2 most messages (including [DEBG] and [INFO] messages) are logged to a different file, namely ikemgr-ng.log. However, [DUMP] message are still written to the old file ikemgr.log.
See the following discussion for more details on the implications of this on determining SK_ei and SK_er from the logs:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!