| Description | This article describes how to create alerts based on when a user disconnects from an IPsec dial-up VPN. It provides a step-by-step guide on how to set up notifications for VPN disconnections, allowing users to monitor and troubleshoot VPN connection issues. |
| Scope | FortiGate, FortiClient. |
| Solution |
Sometimes an alert is needed when an IPsec dial-up user is disconnecting from the VPN.
To create an alert:
Select Security Fabric -> Automation -> Trigger -> Create New.
Event to be chosen: IPsec connection status changed.
When using this log as a trigger condition, this will trigger on any IPsec tunnels going through a connection change. If the alerts are desired only for a specific tunnel, it is possible to add a filter to the trigger to only act on the desired tunnel name using the example below.
After creating a trigger, an Action can be chosen:
Once the steps above have been completed, navigate to Select Stitch -> Create New. 
Logs Generated when A user connects or disconnects from the VPN:
Make sure the email server is also right under System -> Settings -> Email Service:
Alert Email received: date=2025-07-22 time=15:13:42 devid="FGVM4XXXXXXXX" devname="FGVM4XXXXXXX" eventtime=1753222422448179593 tz="-0700" logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=172.16.0.2 locip=192.168.16.135 remport=500 locport=500 outintf="port2" srccountry="Reserved" cookies="c99940a897c297bd/52c2d9a16a3964b0" user="172.16.0.2" group="N/A" useralt="N/A" eapuser="localuser" eapauthgroup="localgroup" assignip=10.212.134.200 vpntunnel="ipsec-dialup_0" tunnelip=10.212.134.200 tunnelid=755159287 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 fctuid="1AEC0F84EAFE4F21BCCBB012AA3F36BA" advpnsc=0 |
