Description
This article describes the process of resetting a VPN tunnel to clear the SA sessions and re-establish SA.
Scope
FortiGate.
Solution
diagnose vpn tunnel flush <my-phase2-name>
Or use any one of the following commands:
diagnose vpn ike gateway clear name <my-phase1-name>
diagnose vpn ike gateway flush name <my-phase1-name>
Note:
If the VPN Name has a space, the tunnel name must be enclosed by '""' or ''''.
For example, if the IPsec tunnel named VPN Test needs to be flushed. Use the command below.
diagnose vpn tunnel flush "VPN Test"
Or:
diagnose vpn ike gateway clear name "VPN Test"
Or:
diagnose vpn ike gateway flush name "VPN Test"
Note: Replace 'my-phase2-name' with the name of the Phase2 part of the VPN tunnel. If the name is not specified (diagnose vpn tunnel flush), all tunnels will be 'flushed'.
The command 'diagnose vpn tunnel flush' might not flush the tunnel in some FortiOS versions. Use 'diagnose vpn ike gateway clear name <my-phase1-name>' instead. Check the output when both commands are used on v7.4.3.
In the multi-VDOM environment, the command is found in the corresponding VDOM, or the VPN gateway can be cleared or flushed from the management VDOM. The CLI commands do not appear in the global VDOM.
Note: A configuration backup should be created before running this command. It is recommended to run the command during a maintenance window or for troubleshooting purposes.
Related articles:
Technical Tip: How to bring down the shortcut VPN tunnel created by Auto-Discovery VPN (ADVPN)
Technical Tip: Different methods to bring down an IPsec tunnel after a WAN connectivity failure
