FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff
Article Id 196631

Description

 

This article describes the process of resetting a VPN tunnel to clear the SA sessions and re-establish SA.
 
Scope
 
FortiGate.


Solution

 

diagnose vpn tunnel flush <my-phase2-name>

 
Or use any one of the following commands:
 
diagnose vpn ike gateway clear name <my-phase1-name>
 
diagnose vpn ike gateway flush name <my-phase1-name>
 
Note:
If the VPN Name has a space, the tunnel name must be enclosed by '""' or ''''.
For example, if the IPsec tunnel named VPN Test needs to be flushed. Use the command below.
 
diagnose vpn tunnel flush "VPN Test"
 
Or:
 
diagnose vpn ike gateway clear name "VPN Test"
 
Or:
 
diagnose vpn ike gateway flush name "VPN Test"
 
Note: Replace 'my-phase2-name' with the name of the Phase2 part of the VPN tunnel. If the name is not specified (diagnose vpn tunnel flush), all tunnels will be 'flushed'.

The command 'diagnose vpn tunnel flush' might not flush the tunnel in some FortiOS versions. Use 'diagnose vpn ike gateway clear name <my-phase1-name>' instead. Check the output when both commands are used on v7.4.3. 

 

diag vpn ike gateway clear name.png
In the multi-VDOM environment, the command is found in the corresponding VDOM, or the VPN gateway can be cleared or flushed from the management VDOM. The CLI commands do not appear in the global VDOM.

ipseccleargw.png

 

Note: A configuration backup should be created before running this command. It is recommended to run the command during a maintenance window or for troubleshooting purposes.

 

Related articles:

Technical Tip: How to bring down the shortcut VPN tunnel created by Auto-Discovery VPN (ADVPN)

Technical Tip: Different methods to bring down an IPsec tunnel after a WAN connectivity failure