Symptoms:

• The Fabric Overlay Orchestrator deployment fails on the root FortiGate.
• The downstream FortiGate does not receive the Fabric Overlay configuration.
• The logs below were observed via 'diagnose debug application csfd -1'.

The following error messages are observed in the logs:

ERR_FABRIC_VPN_PHASE1_CMDB_APPEND_ERROR
add_aps_tunnel_interface_with_ifunit: failed to create interface entry
Failed to setup Fabric VPN: Cannot append new entry to IPsec phase1 entry

Additional CMDB errors may be present:

failed to find phase1-interface.interface objid (data source=ppp2)
failed to find phase1-interface.interface objid (data source=ppp3)

From the HTTPS daemon logs:

Failed to setup Fabric VPN: ERR_FABRIC_VPN_PHASE1_CMDB_APPEND_ERROR:
Cannot append new entry to IPsec phase1 entry.

To confirm whether PPPoE is in use, run the following command on the Root FortiGate:

Example output:

FW # diagnose system csf downstream
 1: FGT40FTK24030151 (192.168.158.3) Management-IP: 192.168.158.1
 Management-port:8443 parent: FGT70FTK11224400
    path:FGT70FTK11224400:FGT40FTK11223351
    data received: Y downstream intf:Telekom upstream intf:wan2 <----- Check if this interface has PPPoE.

Conclusion:

Fabric Overlay Orchestrator does not support PPPoE interfaces.
When a PPPoE interface is used, the orchestrator cannot bind the IPsec Phase1 interface required for the overlay tunnel, which causes the Fabric Overlay deployment to fail.