IPsec Tunnel Will Not Come Up After Power Fail

Forum|Forum|1 year ago
November 25, 2024
3 replies
1668 views

I have a FGT61F running 7.4.3 at the home office and another identical in a remote office. Home office has the static IP. We had a long-term power outage over the weekend and once it was restored the tunnel will not come back up. I have rebooted the FGTs and modems on both ends. In logs I see action-negotiate and stats-success on the home office every 30 seconds and delete_phase1_sa on the remote office. I tried to flush the tunnel from both ends and no luck. Any ideas? We have had power failures in the past and never had this issue.

Thanks for the help.

AEK

SuperUser

Start by checking if the remote gateway is reachable with ping, or with "diag sniffer packet ..." while you try to connect with VPN.

If it is reachable then you can try the below commands for troubleshooting.

diagnose vpn ike log filter ...
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable

A full guide is available here if needed.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-Tunnel/ta-p/195672

Hope it helps.

AEK

dingjerry_FTNT

Staff

Hi @rfs3pa ,

We definitely need IKE debug outputs.

If you have only one IPSec VPN tunnel, you don't have to configure the log filter.

Run the following CLI commands on both peers:

diag debug application ike -1

diag debug enable

You don't need to collect the debug outputs with fnbamd since it is for authentication, not for IKE.

rfs3paAuthor

New Member

Thanks for the help. It's all good now, there was an address set to a static that should not have been, it was really DHCP and it changed when the service came back...