Created on
02-18-2021
08:48 AM
Edited on
03-18-2025
07:48 AM
By
Stephen_G
Description
This article describes how to troubleshoot basic IPsec tunnel issues and understand how to collect data required by TAC to investigate the VPN issues.
The process responsible for negotiating phase-1 and phase-2: 'IKE'.
Use the following steps to assist with resolving a VPN tunnel that is not active or passing traffic.
Scope
FortiGate.
Solution
Step 1: What type of tunnel have issues:
FortiOS supports:
Step 2: Is Phase-2 Status 'UP':
How to identify if Phase 2 is 'Up' or 'Down':
Phase-2 status can be found from both GUI and Command-Line.
From GUI:
When Phase2 is Down:
Execute the command 'diagnose vpn ike gateway list name <phase1-name>' <- To view the phase1 status for a specific tunnel.
The initiator is the side of the VPN that sends the initial tunnel setup requests.
Checklist:
Packet capture can be run from the CLI or the GUI:
GUI:
CLI:
diagnose sniffer packet any 'host <remote-peer-ip> and port (500 or 4500)' 6 0 l, control + c to stop
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 10.10.100.109 <- 10.10.100.109 is the remote gateway.
Note:
Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
diagnose vpn ike log filter rem-addr4 10.10.100.109
diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug console timestamp enable
diagnose debug enable
Note:
Try to run the packet capture and the logs at the same time.
If VDOMs are enabled, make sure to be in the VDOM context and then execute the above commands.
If there are more active tunnels on VDOM, is possible to reduce a possibly large debug output with the following command (FortiOS 7.4.x) and filter the debugged tunnel by name, for example:
diagnose vpn ike log filter name <name of tunnel>
Step 5: Phase1 has been established but Phase2 is down.
Checklist:
diagnose vpn ike gateway list (Or diagnose vpn ike gateway list name <tunnel-name>)
diagnose vpn ike log-filter dst-addr4 10.10.100.109 <- 10.10.100.109 is the remote gateway.
Note:
If VDOMs are enabled, make sure to be in the VDOM context and then execute the above commands.
Packet capture can be collected as shown below:
Step 6: Phase2 is up but traffic is not passing.
Once the tunnel is up, traffic will be encapsulated in ESP (Encapsulating Security Payload) protocol and sent to the remote peer.
Checklist:
1. Make sure the quick mode selector defined in Phase2 is configured properly to allow the traffic flow, which is having the issue.
For example:
Phase 2 define below allows traffic between – 192.168.1.0/24 and 192.168.2.0/24.
In cases where ping is used as the diagnostic tool to test connectivity between local and remote sites, it will fail despite having the required firewall policy, phase 2 selectors (if defined), and static routes/blackhole routes configured on the FortiGate. However, when running the debug flow, it will show that the traffic is leaving the correct tunnel interface and gateway.
Ping to the FortiGate interface and the remote wan interface works. To resolve this, check the Windows firewall settings on the destination devices whether it is enabled. This is a default behavior on the Windows firewall. To allow ICMP requests for testing connectivity, refer to these articles:
If the issue persists:
SSH session 1:
diagnose debug console timestamp enable
diagnose debug flow filter addr <destination-IP>
diagnose debug flow filter proto <1 or 17 or 6> (optional) where 1=ICMP, 6 = TCP, 17 = UDP…
diagnose debug flow show iprope enable
diagnose debug flow trace start 1000
Note other protocol numbers can used as well for example OSPF(89).
SSH Session 2:
diagnose vpn tunnel list (Or diagnose vpn tunnel list name <phase2_tunnel_name> ).
SSH Session 3:
To clear the session for the source and destination use the following command:
diagnose sys session filter clear
diagnose sys session filter src <source-IP>
diagnose sys session clear
diagnose sys session filter clear
diagnose sys session filter dst <destination-IP>
diagnose sys session clear
Note:
If VDOMs are enabled, make sure not to be in the VDOM context, and then execute the command above.
Make sure to collect packet capture and the logs mentioned above around the same and attach it to the Fortinet case updates.
diagnose debug crashlog read
diagnose sys top 2 50 <- Press Ctrl + C to stop (run for 5 iterations).
get system performance status
diagnose hardware sysinfo conserve
diagnose hardware deviceinfo nic <interface-name>
execute tac report
If only one tunnel is flapping, collect the 'VPN Events' log as shown below:
Make sure to collect packet capture and all the logs mentioned above around the same and attach it to the Fortinet case updates.
Note: Some ISP blocks traffic on port 500, if no ESP packets are being received force NAT-T under phase1>>network.
An ISP can block ESP packets even if the tunnel is up as they can filter traffic based on protocol number even after the tunnel is established.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.