Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Raghu_Kumar
Staff
Staff

Created on ‎07-05-2022 09:48 AM Edited on ‎10-10-2025 07:36 AM By Community Manager

Article Id 216713

Troubleshooting Tip: Security fabric connection failing over IPsec tunnel

Description This article describes an issue where a security fabric connection or gets stuck in the 'connecting' state fails over IPsec tunnel.
Scope FortiGate, all firmware.
Solution

Follow these troubleshooting steps:

 

  1. Make sure the tunnel is up and running with traffic on both sides of the tunnels (Head Office and Branch).

  2. Try to connect the upstream FortiGate with a loop-back IP. It should show a 'connecting' state, but never 'connected'.

 

Make sure the IP addresses are configured on the VPN interface.

 

Example:

 

The following topology shows a downstream FortiGate (Branch) connected to the root FortiGate (HQ) over IPsec VPN to join the Security Fabric:

 

kr_1-1657029976594.png

 

Configure the IPsec VPN interface IP address which will be used to form the Security Fabric.

 

  • Go to Network - > Interfaces.
  • Edit the Tunnel in question.
  • Set the Role to LAN.
  • Set the IP/Network Mask to 10.10.10.1/255.255.255.255.
  • Set the Remote IP/Network Mask to 10.10.10.3/255.255.255.0.

 

  1. Make sure that phase2 selectors allow the source and destination IP addresses.

  2. If the issue still surfaces, test the fabric connectivity using a sniffer:

diagnose sniffer packet any “port 8013” 6 0 l

 

Note:

  • By default,  Port 8013 (set upstream-port 8013) is the port used for security fabric syncing.
  • There should be no doubt on adding remote IP even in the case of dial-up IPsec VPN.
  • Configuring IP addresses is still possible on VPN interfaces for dial-up VPN, similar to ADVPN, which is a dial-up VPN too. This is also valid for a site-to-site IPsec VPN.

 

Related article: 

Troubleshooting Tip: Troubleshooting Security Fabric Issues
Labels:
4053
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.