| Description | This article describes about security fabric connection failing over IPSec tunnel. |
| Scope | FortiGate, all firmware. |
| Solution |
Follow the below troubleshooting steps:
1) Make sure tunnel is up and running with traffic on both sides of the tunnels (Head Office and Branch).
2) Trying to connect upstream FortiGate with loop-back IP shows 'connecting' state but not 'connected'. In this case make sure if IP addresses are configured on the VPN interface.
Example:
The following topology shows a downstream FortiGate (Branch) connected to the root FortiGate (HQ) over IPsec VPN to join Security Fabric: 
Configure the IPSec VPN interface IP address which will be used to form Security Fabric
- Go to Network - > Interfaces.
- Edit Tunnel in question.
- Set Role to LAN.
- Set the IP/Network Mask to 10.10.10.1/255.255.255.255.
- Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.
3) Make sure that phase2 selectors allow the source and destination IP addresses.
4) If the issue still surfaces test the fabric connectivity using the sniffer,
# diagnose sniffer packet any “port 8013” 6
Note: - Port 8013 which is the port used for security fabric syncing.
- There should be no doubt on adding remote IP even in case of dial up IPsec VPN.
- Configuring IP addresses is still possible on VPN interfaces for dial-up VPN similar to ADVNP which is a dial up VPN too. Also valid for site-to-site IPSec VPN. |
