Description | This article describes how to troubleshoot IPsec VPN tunnel errors due to traffic not matching selectors. |
Scope |
FortiGate. |
Solution |
IPsec VPN Tunnel interfaces may report increasing errors in the following command outputs.
fnsysctl ifconfig <Phase 1 name> diagnose netlink interface list <Phase 1 name>
Tx error count can occur due to the following reasons:
The Tx error count can also increase if there are Phase 2 selectors configured, and an attempt is made to ping a destination not permitted by the selector. In such cases, the Tx error count increments by one for each ping attempt.
Sample Config:
2021-11-03 11:22:42 id=20085 trace_id=2502 func=print_pkt_detail line=5693 msg="vd-root:0 received a packet(proto=17, 103.228.181.139:19212->10.28.10.81:514) from local. "
In this case, although the destination IP is included in the Phase 2 selectors, the outgoing traffic uses the source IP 103.228.181.139 (WAN interface IP), which is not covered in the source-subnet of the Phase 2 selectors.
The best approach to detect this in a debug flow, is to debug using the destination phase2 subnet range. For example:
diagnose debug enable diagnose debug flow filter daddr 10.28.10.80 10.28.10.95 diagnose debug flow trace start 10 After checking the destination IP and destination port, it appears that the Syslog traffic is attempting to exit through the tunnel but cannot pass. This is because the destination IP must be included in the Phase 2 selector to traverse the tunnel successfully.
config log syslogd setting
For reference to changing the source IP of Syslog, check this link: Technical Tip: Syslog server over IPSEC VPN and sending VPN logs
Related article: Technical Tip: Troubleshooting IPsec VPN tunnel errors with large size packets |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.