|
Step 1: Identify the Source and Destination locations.
Both Source and Destination Behind Spokes (ADVPN not configured for shortcuts):
- Collect packet sniffer data and debug logs from both spokes and the Hub.
Both Source and Destination Behind Spokes (ADVPN configured for shortcuts):
If a shortcut is created:
- Collect packet sniffer data and debug logs from both spokes.
If no shortcut is created:
- Collect packet sniffer data and debug logs from both spokes and the Hub.
Either Source or Destination Behind Hub:
- Collect packet sniffer data and debug logs from the spokes and the Hub.
Step 2: Collect and Analyze Routing Information, Packet Sniffer Data, and Debug Logs.
get router info routing-table details x.x.x.x
get router info routing-table details y.y.y.y
diagnose sniffer packet any 'host x.x.x.x and host y.y.y.y' 4 0 l
diag debug flow filter addr x.x.x.x
diag deb flow show iprope en
diag deb console timestamp en
diag deb flow trace start 1000
diag deb en
Replace `x.x.x.x` with the source IP and `y.y.y.y` with the destination IP.
Step 3: Analyze Logs.
Packet Sniffer Logs:
Check if the logs show traffic exiting the correct IPSec tunnel (look for the 'tunnelname out' phrase) at the source FortiGate:
- If Yes: Proceed to the next step.
- If No: Verify if the correct firewall policy is applied (Check debugs flow captured on source FortiGate), and check for SD-WAN configuration and rules if enabled.
Check if the logs show traffic entering the correct IPSec tunnel (look for the 'tunnelname in' phrase) at the destination FortiGate:
Check if the logs show traffic entering the correct outbound interface at the destination FortiGate:
- If Yes: Check if the application socket on the destination device is open.
- If No: Review firewall policies on Destination FortiGate (Check debugs flow captured on destination FortiGate)
|
