Introduction to the Microsoft IPSec Diagnostic Tool

The Microsoft IPSec Diagnostic Tool can help its users troubleshoot IPSec-related issues on a system.  It also captures non-IPSec parameters like system data, network interface, group policy, and Windows services like NAP, firewall, RRAS, Wireless, system events and policies.  On Windows Vista and Windows Server2008, it provides an interface to capture IKE logs.

The tool offers two modes of functionality, Local and Remote Mode:


In local mode, the tool needs to be run on the system under investigation and can also be used for live troubleshooting.  It also collects system information required to diagnose network issues.  IPSec and related information is further parsed and analyzed to arrive at possible triggers of the failure.  All logs and data collected are put into a CAB file.

Remote mode offers failure diagnosis through IPSec logs.  In this mode, the tool parses Oakley (Windows XP, Windows Server 2003), IKE (Windows Vista and above) logs, output of IPSec dump from Netsh and ipseccmd logs.  This mode offers the flexibility to run the tool on a machine other than the one under investigation.  Another input to the tool in this mode is the IP Address of the remote machine to which connectivity fails.

The main difference between Local Mode and Remote Mode is that Local is used for Diagnostic and Remote is used for offline analysis of logs that are collected.  Local Mode works on Windows Vista and above.  Remote Mode works on Oakley, Netsh, ipseccmd and IKE logs (Vista) to diagnose failures.

One of the great features in the log is that it performs ETL tracing for IKE in Windows Vista and Windows Server 2008 and converts the logs to readable format.  This is the equivalent of Oakley logs in Windows XP and Windows Server 2003.  One thing to keep in mind is you don’t only have to use it for troubleshooting IPSec.  It also collects other data as shown below:


If you would like to just gather IKE tracing on Vista and above, wfputil.exe can be launched independently to collect the IKE trace.  To do this:

1. Go to “start->All Programs->Microsoft IPsec Diagnostics 1.0->WFPUtil – Start IKE Trace”.

2. Select Allow when prompted for elevated privileges.  The tool begins to collect a trace; reproduce the failure scenario and press CTRL-Z when done.

3. The collected trace will be placed in a cab file at “<%appdata%>\ipsecurelogs\wfputil<TIME STAMP>\”.

4. The cab file contains wfpdiag.txt along with other traces.

Release Notes:

This version of Microsoft IPSec Diagnostic Tool is tested on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. This tool has not been localized; it is written and tested in English only. Using this tool with a different language version of Microsoft Windows might produce unpredictable results.

  • Event logs in XP/Windows Server 2003 will not be collected sometimes, when the event log size has exceeded a limit.
  • On XP home, systeminfo.txt, Tasklist.txt, gpresult.txt and event files (EventSystem.txt, EventSecurity.txt, EventApplication.txt) will not be created since home doesn’t support the corresponding utilities.
  • Sometimes GPresult might hang – since the tool calls gpresult, it will hang too. Uncheck system information checkbox and continue with diagnosis.
  • The tool might stop and start policyagent service on some XP and Windows Server 2003 machines to enable logging. On completion, the logging is disabled and service is restarted again. In each case, it adds this information to the diagnostic report.
  • On Windows Server 2003 x64 machines, the event logs (EventSystem.txt, EventSecurity.txt, EventApplication.txt) will not be collected.

The tool can be downloaded from the following link.  Once install you can click on the Help button to get more information about the tool.

For information on troubleshooting IPSec, take a look at the following:

– Louis Hardy