VXLAN over IPsec issue between 2 FortiGate 200G

Forum|Forum|10 months ago
July 28, 2025
1 reply
399 views

Trying to extend a VLAN via VXLAN between two FortiGate 200G units over an IPsec tunnel. ARP and broadcast traffic get through fine, but unicast (ICMP) doesn’t. ARP tables look good, VXLAN UDP (port 4789).

Anyone dealt with a similar setup or have tips to debug?

Want me to tailor it more for Fortinet pros or add some tags to get extra traction?

FortiGate

funkylicious

SuperUser

you can do some check with these commands,

diagnose sys vxlan fdb list <VXLAN_interface>
diagnose sys vxlan fdb stat <VXLAN_interface>
diagnose netlink brctl name host <switch_interface>

doing a sniffer/tcpdump, can you confirm that on the remote FGT ICMP arrives? maybe you need some fw rules to allow traffic if switch policy is set to explicit.

"jack of all trades, master of none"

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded