Skip to main content
Jirka1
Jirka1
Explorer II
September 21, 2022
Question

FortiGate & SNMP IPsec traffic

  • September 21, 2022
  • 4 replies
  • 9138 views

Hi,

we use FortiGate at a lot of customers and monitor everything using PRTG Network Monitor (latest version 22.3.79.2108).
I found out today that if I monitor traffic in IPsec site2site tunnels I get strange results.

 

Here is a concrete example.

FortiGate 100F (6.4.9). There is one IPsec tunnel on the WAN interface to the central FortiGate 200F (6.4.10). All traffic is routed to the IPsec tunnel, nothing passes to the internet directly through the WAN.

 

This graph is from the WAN interface:

wan.png

and this graph is from an IPsec tunnel:

ipsec.png

 

As you can see there is a huge difference.


But I am unable to determine when this monitoring problem started. I tried deleting and recreating the problematic sensors but that didn't fix the problem. I also tried using SNMPv3 instead of SNMPv2 and also no luck.

I always considered IPsec tunnels as a classic interface (and that's how the PRTG program also approached it) and it always worked.

 

Has anyone encountered a similar problem? Other interfaces (physical, vlans or SSL) are displayed correctly via SNMP.

 

And I also registered that if I view the IPsec tunnel widget on FGT, I only see one direction.widget.png

 

Thank you.

Jirka

4 replies

Jirka1
Jirka1Author
Explorer II
September 23, 2022

nobody?

gfleming
Staff
gfleming
Staff
September 24, 2022

What OID are you using to get the data for that IPSec interface?

Jirka1
Jirka1Author
Explorer II
September 27, 2022

Hi Graham,

I´dont know what OID are used. 

I always selected the "SNMP Traffic" template in PRTG, scanned the FortiGate and it showed me all available interfaces for monitoring - incl. IPsec tunnels, VLAN, SSL interface. There was never problem with it.

It looks like this:
interface.png

All this still works now, with the difference that the data read using SNMP does not correspond to the real load of the IPsec interface.

Can you provide me with a valid OID for traffic and unicast packet monitoring for the IPsec interface? I would try adding it manually.

 

Edit: I found one historic BUG in version 6.2.x:
bug.png
Could this not also be the case?

 

Thanks
Jirka

Jirka1
Jirka1Author
Explorer II
September 27, 2022

Graham, 

 

so the problem is the NPU offload. Once I disable it on the IPsec Phase1 interface: 

 

set npu-offload disable

 

both the SNMP graph and the GUI widget display the correct data!

Jirka

    Jirka1
    Jirka1Author
    Explorer II
    September 29, 2022

    I am forwarding TAC's comments on the existing bug and its workaround:

    The particular issue is known, to be more precise the bug ID is [0830252 - IPSec VPN statistics not increasing on device].

    It will be fixed in:

    1) 6.4.11 expected to be released by the end of October
    2) 7.0.7 expected to be released by the in the middle of October
    3) 7.2.3 expected to be released in the middle of November

    As workaround, I would recommend unsetting the "per-session-accounting" and configure the:

    config system np6xlite
    edit "np6xlite_0"
    set ipsec-STS-timeout 1
    next
    end

    Jirka

      Faiza_Emam_Delhi
      Faiza_Emam_Delhi
      Visitor III
      June 17, 2023

      you are experiencing issues with monitoring IPsec traffic on a FortiGate device using PRTG Network Monitor. Specifically, you are seeing different results when monitoring traffic on the WAN interface versus an IPsec tunnel, and you are unable to determine when the issue started.

      Here are some steps you can take to troubleshoot this issue:

      1. Verify that the SNMP settings on the FortiGate device are configured correctly. Make sure that SNMP is enabled on the device and that the community string is set correctly.

      2. Check that the SNMP sensors in PRTG Network Monitor are configured correctly. Make sure that the sensors are using the correct community string and that they are set up to monitor IPsec traffic correctly.

      3. Consider using a different SNMP monitoring tool to see if the issue persists. This may help isolate the issue to PRTG Network Monitor or to the FortiGate device.

      4. Check the logs on the FortiGate device for any errors or warnings related to SNMP or IPsec traffic. This may give you more information about what is causing the issue.

      5. Consider upgrading the firmware on the FortiGate device to the latest version to see if that resolves the issue. Sometimes firmware updates can address compatibility issues with monitoring tools.

      By following these steps, you can further isolate the issue and determine the root cause of the problem. If you are still experiencing issues,

      Terms & ConditionsAccessibility statement