FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that sometimes when deploying a new IPsec tunnel between a FortiGate and an Azure Vnet server the tunnel may not form or may flap phase1 SA between established and connecting statuses.
Scope
Forming a tunnel between FortiGate and a Vnet server.
Solution
The first step is to check if the Security Association is established between the 2 sides or not and also if the status for SA is flapping by executing the CLI command below multiple times separated by short intervals:
diagnose vpn ike gateway list name <phase1 name>
Then it is possible to check if the ESP packets are being sent and received on the firewall with the use of the sniffer command:
diagnose sniffer packet any "host <vnet public ip> and esp" 4 0 l
If traffic is bidirectional then it is assumed that the negotiation is not successful and it is possible to start with the usual comparison between parameters. Otherwise, it is possible to check the events of this traffic on the FortiGate side using the IKE debug:
diagnose vpn ike log-filter dst-addr4 <vnet public ip>
diagnose debug application ike -1
diagnose debug enable
Note: if the firewall is running 7.4 FortiOS the filter command has changed to:
diagnose debug ike log filter rem-addr4
One step to troubleshoot further can be done by setting up the IPsec tunnel in 'passive' mode on the FortiGate side while changing the Vnet server to use the 'initiator only' option instead of the default option:
config vpn ipsec phase1-interface
edit <phase1 name>
set passive-mode enable
end
A key factor to look for assuming both sides have matching configurations is to setup the tunnel matching the recommended settings from Microsoft which can be found on the following link:
