Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff & Editor
Staff & Editor

Created on ‎08-28-2025 09:48 AM

Article Id 408661

Technical Tip: How to troubleshoot if an IPsec tunnel route displays a 'Null0' interface in the routing table and remains inactive

Description The article explains why a static route fails to select the corresponding IPsec interface in the routing table, and instead, the interface displayed is Null0, and the route is Inactive.
Scope FortiGate .
Solution

The following is a valid configuration setup for a site-to-site IPsec tunnel:

 

config vpn ipsec phase1-interface

    edit "TestVPN"
        set interface "wan1"
        set ike-version 2
        set local-gw 10.9.16.120
        set keylife 28800
        set peertype any
        set net-device enable
        set aggregate-member enable
        set proposal aes256-sha256
        set comments "Local FortiGate"
        set dhgrp 20
        set nattraversal disable
        set remote-gw q 10.9.14.132
    next

end

 

config router static 

    edit 1
        set dst 172.16.10.0 255.255.255.0
        set device "TestVPN"
    next

end

 

The tunnel is up, but no traffic is passing through because the static route points to the Null0 interface, leaving the route inactive, as shown below

 

Routing table for VRF=0
Routing entry for 172.16.10.0/24
Known via "static", distance 10, metric 0
vrf 0 10.9.14.132, Null0 inactive, tun_id

 

In general, when IPsec aggregate interface tunnels are created, an aggregate interface should be created for these tunnels. The aggregate interface should be used to add a route to the static routing table. 

 

However, for some reason(During a FortiConverter migration or a manual config migration), if an aggregate-member functionality is enabled on a normal site-to-site tunnel, but an aggregate member and aggregate interface are not created, the added static route will always show Null0 interface in the routing table.

 

Solution:

If the tunnel is intended for site-to-site use and IPsec load balancing is not required, disabling the aggregate member option in Phase 1 will resolve the issue. Otherwise, complete the setup for the IPsec aggregate using Technical Tip: IPsec aggregate for redundancy and traffic load-balancing.

 

config vpn ipsec phase1-interface

    edit "TestVPN"

         set aggregate-member disable

    next

end

 

FortiGate # get router info routing-table details 172.16.10.1

Routing table for VRF=0
Routing entry for 172.16.10.0/24
Known via "static", distance 10, metric 0, best
* via TestVPN tunnel 10.9.14.132 vrf 0, tun_id

 

Related articles:

Technical Tip: How to identify Inactive Routes in the Routing Table 

Technical Tip: IPSec tunnel is up but the route in routing table shows inactive 
Labels:
157
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.