FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 275063
Description This article describes the case when FortiGate is not displaying any traffic in debug while troubleshooting IPSec tunnel traffic.
Scope FortiOS.

There are some scenarios where debugging the IPSec tunnel traffic between the sites is needed to narrow down the root cause of the issue or to verify what paths or policies is the traffic using for this communication.


When trying to debug this traffic on FortiGate there will be no traffic seen in the debug even after the traffic flow is successful between the sites.


The reason for this behavior is because of FortiGate offloads that IPSEC traffic through NPU.


To debug this traffic, disable the auto-asic offload in the firewall policies associated with the tunnel interface to allow traffic.


config firewall policy

    edit 23 

    sh full | grep auto-asic
        set auto-asic-offload disable --default is enabled 



vpn 3.PNG


Here, policy ID 23 will be from the VPN interface to the LAN. Disable auto-asic in both policies from VPN interface to LAN and LAN interface to VPN interface to see the entire bidirectional flow of the traffic.


vpn 1.PNG