- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Phase 2 status in ipsec monitor pag...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes the changes in ipsec monitor page in 5.6 and above firmware versions.
In 5.6 and above the design was changed to show the status of the tunnel (i.e. phase1) rather than the individual phase2s.
Currently VPN phase2 status in line view has been removed from VPN IPsec monitor.
Solution
Execute the CLI commands to monitor the status:
For example :
This article describes the changes in ipsec monitor page in 5.6 and above firmware versions.
In 5.6 and above the design was changed to show the status of the tunnel (i.e. phase1) rather than the individual phase2s.
Currently VPN phase2 status in line view has been removed from VPN IPsec monitor.
Solution
Execute the CLI commands to monitor the status:
# get vpn ipsec tunnel summary <----- Provide Tunnel statistic info.
# diag vpn tunnel list <----- Provide List all tunnel.
For example :
# get vpn ipsec tunnel summaryWhen both are up, the logs will be display as below:
'test' 10.5.25.96:0 selectors(total,up): 2/2 rx(pkt,err): 0/0 tx(pkt,err): 0/0
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=1 serial=1 10.40.16.43:0->10.5.25.96:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=2 child_num=0 refcnt=17 ilast=11 olast=11714 auto-discovery=0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=2 proto=0 sa=1 ref=2 serial=2 <----- Phase2 selectors "2" is up
src: 0:172.31.208.0/255.255.240.0:0
dst: 0:172.31.128.0/255.255.240.0:0
SA: ref=3 options=2e type=00 soft=0 mtu=1438 expire=42939/0B replaywin=2048 seqno=1 esn=0
life: type=01 bytes=0/0 timeout=43178/43200
dec: spi=94562709 esp=aes key=16 d42280329574150ff2c99ff43f524022
ah=sha1 key=20 5964c53bee6625766d69061127f29cb5aedaaf10
enc: spi=e5d6a69a esp=aes key=16 809a8addbdaf98d3a733638f7ad47494
ah=sha1 key=20 a2de85202b0460bd5f659320ab3f2e82a583494d
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=test proto=0 sa=0 ref=1 serial=7 <----- Phase2 selectors "test" is down
src: 0:172.31.192.0/255.255.240.0:0
dst: 0:172.31.144.0/255.255.240.0:0
# get vpn ipsec tunnel summaryTo bring the phase2 tunnel up :
'test' 10.5.25.96:0 selectors(total,up): 2/2 rx(pkt,err): 0/0 tx(pkt,err): 0/0
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=test ver=1 serial=1 10.40.16.43:0->10.5.25.96:0
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=2 child_num=0 refcnt=17 ilast=14 olast=11537 auto-discovery=0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=2 proto=0 sa=1 ref=2 serial=2 <----- Phase2 selectors "2" is up
src: 0:172.31.208.0/255.255.240.0:0
dst: 0:172.31.128.0/255.255.240.0:0
SA: ref=3 options=2e type=00 soft=0 mtu=1438 expire=43117/0B replaywin=2048 seqno=1 esn=0
life: type=01 bytes=0/0 timeout=43178/43200
dec: spi=94562709 esp=aes key=16 d42280329574150ff2c99ff43f524022
ah=sha1 key=20 5964c53bee6625766d69061127f29cb5aedaaf10
enc: spi=e5d6a69a esp=aes key=16 809a8addbdaf98d3a733638f7ad47494
ah=sha1 key=20 a2de85202b0460bd5f659320ab3f2e82a583494d
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=test proto=0 sa=1 ref=2 serial=4 <----- Phase2 selectors "test" is up
src: 0:172.31.192.0/255.255.240.0:0
dst: 0:172.31.144.0/255.255.240.0:0
SA: ref=3 options=2e type=00 soft=0 mtu=1438 expire=43117/0B replaywin=2048 seqno=1 esn=0
life: type=01 bytes=0/0 timeout=43174/43200
dec: spi=94562708 esp=aes key=16 4ddf7cdfc580b408130c27111329d4a4
ah=sha1 key=20 afa960dbda61d00a2dad8387a99c13fdb045a0b4
enc: spi=e5d6a699 esp=aes key=16 14fbfa90b1b9dba24da822e959366d34
ah=sha1 key=20 97f9edb074d5a7e6c8c813fcfa4dd3e66032e1b8
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
# diag vpn tunnel up <VPN-Phase2> <VPN-Phase1>Example:
# diag vpn tunnel up 2 test
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.