Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎07-23-2025 08:55 AM Edited on ‎11-13-2025 09:20 PM By Moderator

Article Id 403075

Troubleshooting Tip: Creating Alerts for IPsec Dial-up VPN Disconnections

Description This article describes how to create alerts based on when a user disconnects from an IPsec dial-up VPN. It provides a step-by-step guide on how to set up notifications for VPN disconnections, allowing users to monitor and troubleshoot VPN connection issues.
Scope FortiGate, FortiClient.
Solution

An email alert can sometimes be needed when an IPsec dial-up user is disconnecting from the VPN.

 

To create an alert using automation stitches:

 

Select Security Fabric -> Automation -> Trigger -> Create New.

 

spoojary_0-1753283093914.png

 

Event to be chosen: IPsec connection status changed.

 

When using this log as a trigger condition, this will trigger on any IPsec tunnels going through a connection change. If the alerts are desired only for a specific tunnel, it is possible to add a filter to the trigger to only act on the desired tunnel name using the example below.

 

spoojary_1-1753283182705.png

 

After creating a trigger, an Action can be chosen:

 

spoojary_1-1753208443511.png

 

spoojary_2-1753208467881.png

 

Once the steps above have been completed, navigate to Select Stitch -> Create New.

spoojary_3-1753208583617.png

 

CLI Reference:

  

config system automation-trigger

    edit "ipsec_down"

        set event-type event-log

        set logid 37138

            config fields

                edit 1

                    set name "vpntunnel"

                    set value "ipsec-dialup"

                next

            end

    next

end

 

config system automation-action

    edit "Default Email"

        set action-type email

        set email-to "test@fortinet.com"

        set email-subject "%%log.logdesc%%"

    next

end

 

config system automation-stitch

    edit "ipsec_down"

        set trigger "ipsec_down"

            config actions

                edit 1

                    set action "Default Email"

                    set required enable

                next

            end

    next

end

 

Example logs generated when a user connects or disconnects from the VPN:

 

spoojary_4-1753208744105.png

 

Ensure that the email server is also correctly configured under System -> Settings -> Email Service:

 

spoojary_6-1753208922955.png

 

Alert Email received with log content:

date=2025-07-22 time=15:13:42 devid="FGVM4XXXXXXXX" devname="FGVM4XXXXXXX" eventtime=1753222422448179593 tz="-0700" logid="0101037138" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec connection status changed" msg="IPsec connection status change" action="tunnel-up" remip=172.16.0.2 locip=192.168.16.135 remport=500 locport=500 outintf="port2" srccountry="Reserved" cookies="c99940a897c297bd/52c2d9a16a3964b0" user="172.16.0.2" group="N/A" useralt="N/A" eapuser="localuser" eapauthgroup="localgroup" assignip=10.212.134.200 vpntunnel="ipsec-dialup_0" tunnelip=10.212.134.200 tunnelid=755159287 tunneltype="ipsec" duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 fctuid="1AEC0F84EAFE4F21BCCBB012AA3F36BA" advpnsc=0
388
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.