FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Raghu_Kumar
Staff
Staff
Description This article describes about security fabric connection failing over IPSec tunnel.
Scope FortiGate, all firmware.
Solution

Follow the below troubleshooting steps:

 

1) Make sure tunnel is up and running with traffic on both sides of the tunnels (Head Office and Branch).

 

2) Trying to connect upstream FortiGate with loop-back IP shows 'connecting' state but not 'connected'.

In this case make sure if IP addresses are configured on the VPN interface.

 

Example:

 

 The following topology shows a downstream FortiGate (Branch) connected to the root FortiGate (HQ) over IPsec VPN to join Security Fabric:

kr_1-1657029976594.png

 

Configure the IPSec VPN interface IP address which will be used to form Security Fabric

 

- Go to Network - > Interfaces.

 

- Edit Tunnel in question.

 

- Set Role to LAN.

 

- Set the IP/Network Mask to 10.10.10.1/255.255.255.255.

 

- Set Remote IP/Network Mask to 10.10.10.3/255.255.255.0.

 

3) Make sure that phase2 selectors allow the source and destination IP addresses.

 

4) If the issue still surfaces test the fabric connectivity using the sniffer,

 

# diagnose sniffer packet any “port 8013” 6

 

Note:

- Port 8013 which is the port used for security fabric syncing.

 

- There should be no doubt on adding remote IP even in case of dial up IPsec VPN.

 

- Configuring IP addresses is still possible on VPN interfaces for dial-up VPN similar to ADVNP which is a dial up VPN too. Also valid for site-to-site IPSec VPN.

Contributors