FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192887
The purpose of this article is to aid in troubleshooting network connectivity via IPSEC VPN. In this scenario the site to site VPN between two FortiGates and the tunnel status is up however, both local and remote subnets are not able to reach each other or only one way communication is working
Network scenario used for this example :  local LAN -----FGT A------IPSEC VPN----- FGT B --- Remote lan
Below is a list of steps to aid in troubleshooting the issue:
1. Phase2 selector: Make sure the respective source and destination ip is present in phase2 selector configured on the FortiGate units and phase2 selector is up
FortigateA# diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=vpn ver=1 serial=2>
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=2 child_num=0 refcnt=12 ilast=7 olast=568 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=vpna proto=0 sa=1 ref=2 serial=3 <-- SA=1 means phase2 selectors(proxyid) "vpna" is up
  src: 0:
  dst: 0:
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1280 expire=42402/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42930/43200
  dec: spi=a9a85865 esp=aes key=16 e25c71269c3f44205d1074d3ee5e6b36
       ah=sha1 key=20 f5cf85d6c2b2a20918f83e92e1c18d9450ab4415
  enc: spi=687f405e esp=aes key=16 3a0730ac611aaf84eea0438d127ec652
       ah=sha1 key=20 4f6f509be0cd6a27588b4c4b1b0dec086a638913
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
If there are multiple phase2 selectors configured use the following command:
# diagnose vpn tunnel list | grep -f "proxyid=<phase2 selectors name>"
Example :
diagnose vpn tunnel list | grep -f "proxyid=vpna"
proxyid=vpna proto=0 sa=1 ref=2 serial=3 <---

2. Route: On both FortiGates should have an active route to the remote subnets
FortigateA# get router info routing-table details

Routing table for VRF=0
Routing entry for
  Known via "static", distance 10, metric 0, best
  * directly connected, vpna <<<<<<
FortigateB# get router info routing-table details

Routing table for VRF=0
Routing entry for
  Known via "static", distance 10, metric 0, best * directly connected, vpnb <--

3. Policy Routing: If there policy routing applied to a specific respective source or destination create a policy route to the respective source and destination subnets with interface as vpn tunnel and keep the policy route on top.

4. Firewall Policies: Make sure there is LAN to VPN and VPN to LAN allow policies configured on both the FortGate with respective source / destination addresses and services.
Please note: For the LAN to VPN policy, keep NAT disabled and VPN to LAN keep PAT enabled

Use the below command to do a policy lookup
diagnose firewall iprope lookup <source ip> <source port number> <destination ip> <destination portnumber> <protocol> <incoming interface>
Example : To analyse a ping from to use the following command:
diagnose firewall iprope lookup 5178 443 0  lan
<src [ -5178] dst [] proto 0 dev lan <-- matches policy id: 1

Protocol id for UDP = 17, TCP = 6, other = 0
If the above fails, please raise a technical assistance ticket and attach the configuration of the FortiGate devices, network diagram and debug outputs of below commands.

Run the below commands on both FortiGates and initiate the communications to capture traffic flow :

SSH 1:
diag deb disable
diag deb reset
diagnose debug flow filter <protocol id> <-- ping = 1, UDP = 17, TCP = 6.
diagnose debug flow filter addr  y.y.y.y <-- destination ip
diag debug flow show function-name enable
diagnose debug flow show console enable
diagnose debug flow trace start 2000
diagnose debug enable

SSH 2:
diag sniffer packet any "host y.y.y.y" 6 0 l

Related Articles

Troubleshooting Tool: Using the FortiOS built-in packet sniffer