FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 216713
Description This article describes about security fabric connection failing over IPSec tunnel.
Scope FortiGate, all firmware.

Follow the below troubleshooting steps:


1) Make sure tunnel is up and running with traffic on both sides of the tunnels (Head Office and Branch).


2) Trying to connect upstream FortiGate with loop-back IP shows 'connecting' state but not 'connected'.

In this case make sure if IP addresses are configured on the VPN interface.




 The following topology shows a downstream FortiGate (Branch) connected to the root FortiGate (HQ) over IPsec VPN to join Security Fabric:



Configure the IPSec VPN interface IP address which will be used to form Security Fabric


- Go to Network - > Interfaces.


- Edit Tunnel in question.


- Set Role to LAN.


- Set the IP/Network Mask to


- Set Remote IP/Network Mask to


3) Make sure that phase2 selectors allow the source and destination IP addresses.


4) If the issue still surfaces test the fabric connectivity using the sniffer,


# diagnose sniffer packet any “port 8013” 6



- Port 8013 which is the port used for security fabric syncing.


- There should be no doubt on adding remote IP even in case of dial up IPsec VPN.


- Configuring IP addresses is still possible on VPN interfaces for dial-up VPN similar to ADVNP which is a dial up VPN too. Also valid for site-to-site IPSec VPN.