An intermittent disconnection can be challenging to troubleshoot since it is hard to predict when it is going to happen. For that reason, the recommendation is to inspect the traffic on both the client and FortiGate side to find the root cause of the disconnection.
Note:
Packet captures and Debug has to be run simultaneously.
Packet Capture.
- Open a Putty session and make sure to save the Logs for future review.
- In Putty under Category, Select Logging, All Session output and select the Folder location to save the File.
- Run the following command to capture IPSec traffic.
diagnose sniffer packet any " host <PublicIP of the Host getting disconnected> and port 500 or 4500 " 6 0 l

Note:
If the sniffer does not show any packets, make sure to temporarily disable npu-offload under phase1.
Once the disconnection happens, press CTRL + C to stop the sniffer and convert the output to PCAP. Refer to the following link to convert the sniffer to PCAP: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark
- Install Wireshark on the remote Host and start a packet capture using the following filter.
 After having successfully captured a disconnection, follow the following article to Decrypt the ESP packets. Technical Tip: Decrypt ESP packets
Debug. Run the following debug in Putty to make sure the session does not get disconnected from the FortiGate. Using the GUI CLI to collect the debug can result in a file containing wrong formatting or a timeout disconnection from the session.
diagnose vpn ike log filter clear diagnose vpn ike log filter src-addr4 <PublicIP of the Host getting disconnected> diagnose debug console timestamp enable diagnose debug application ike -1 diagnose debug enable
The command 'timestamp enable' debug can help filter the debug by looking at a specific time if the time and date of the disconnection are already known. The command 'ike log-filter dst-addr4' can help filter for a host having a disconnection issue.
Note:
Starting from v7.4.1, the 'diagnose vpn ike log filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
VPN Logs. VPN Logs can be useful to reviewed carefully to find more information about the time of disconnection and the possible root cause. From the FortiGate GUI, navigate to Log & Report -> System Events -> VPN Events.
On the user side, FortiClient Logs can also be collected to review; However Debug Log level has to be selected. To change the Logging level on FortiClient, follow the article below. Technical Tip: How to enable debug log in FortiClient
NPU Offload. IPSec Traffic entering the FortiGate is offloaded to the NPU, hence it can sometimes be a cause of the disconnection. To rule out the possibility of this issue being related to NPU offload, temporarily disable NPU offload under phase1: Disabling NP offloading for individual IPsec VPN phase 1s.
The tunnel is going down. Check the Phase 2 settings and enable Autokey Keep Alive if the VPN tunnel frequently goes down.
Related article:
Technical Tip: FortiClient IPsec dial-up tunnel keeps disconnecting
|