Description |
This article describes why one of the Phase 2 selectors is not present in the IPSec monitor. |
Scope | FortiGate. |
Solution |
In some cases, an IPSec tunnel may include more than one phase 2 selector. The IPSec monitor can be used to confirm that a tunnel and all Phase 2 selectors are operational. If Phase 2 does not appear when using the IPSec monitor, as it does in the screenshot below:
In the below screenshot it can be seen that there are 3 Phase 2 selectors on this IPSec tunnel:
From the CLI, while checking on the phase1 connection the phase2 selector is still missing:
diagnose vpn tunnel list proxyid_num=2 child_num=0 refcnt=4 ilast=44775664 olast=44775664 ad=/0
When checked under references for this IPSec tunnel, the concerned Phase 2 selector shows up, but that Phase 2 selector is slightly towards right-hand side:
If that is the case, then that Phase 2 selector is repetitive. In the example above the first Phase 2 selector and the third one have the same remote and local subnet. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.