Description | This article describes that sometimes when deploying a new IPsec tunnel between a FortiGate and an Azure Vnet server the tunnel may not form or may flap phase1 SA between established and connecting statuses. |
Scope | Forming a tunnel between FortiGate and a Vnet server. |
Solution |
diagnose vpn ike gateway list name <phase1 name>
diagnose sniffer packet any "host <vnet public ip> and esp" 4 0 l
diagnose vpn ike log-filter dst-addr4 <vnet public ip> diagnose debug application ike -1 diagnose debug enable
Note: if the firewall is running 7.4 FortiOS the filter command has changed to:
diagnose debug ike log filter rem-addr4
config vpn ipsec phase1-interface edit <phase1 name> set passive-mode enable end
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.