FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes about security fabric connection failing over IPSec tunnel.
Scope FortiGate, all firmware.

Follow the below troubleshooting steps:


1) Make sure tunnel is up and running with traffic on both sides of the tunnels (Head Office and Branch).


2) Trying to connect upstream FortiGate with loop-back IP shows 'connecting' state but not 'connected'.

In this case make sure if IP addresses are configured on the VPN interface.




 The following topology shows a downstream FortiGate (Branch) connected to the root FortiGate (HQ) over IPsec VPN to join Security Fabric:



Configure the IPSec VPN interface IP address which will be used to form Security Fabric


- Go to Network - > Interfaces.


- Edit Tunnel in question.


- Set Role to LAN.


- Set the IP/Network Mask to


- Set Remote IP/Network Mask to


3) Make sure that phase2 selectors allow the source and destination IP addresses.


4) If the issue still surfaces test the fabric connectivity using the sniffer,


# diagnose sniffer packet any “port 8013” 6



- Port 8013 which is the port used for security fabric syncing.


- There should be no doubt on adding remote IP even in case of dial up IPsec VPN.


- Configuring IP addresses is still possible on VPN interfaces for dial-up VPN similar to ADVNP which is a dial up VPN too. Also valid for site-to-site IPSec VPN.