Troubleshooting Tip: What logs to collect for ADVPN issues while opening TAC tickets

There are two main issues with ADVPN. It can either be a routing issue or a tunnel issue.

For routing issues, collect the following debugs:

• Details of the issue.
• Topology details.
• Source IP.
• Destination IP.
• Traffic flow: Source IP (LAN interface of FGTA) FGTA (IPSec tunnel name) ----- (IPSec tunnel name)  FGTB (LAN interface of FGTB) Destination IP. These details are important for TAC engineers to understand the topology.
• Policy ID of Policies allowing traffic on  FGTA and FGTB.
• Specific details of the traffic that is denied.
• Config file of all FortiGates involved.
• Routing commands:

get router info routing-table details <sourceip>

get router info routing-table details <destip>

• If BGP is involved:

get router info bgp summary

get router info bgp network <source IP> <----- From remote FortiGate.

get router info bgp network <destination IP> <----- From local FortiGate.

• For other BGP commands refer to: Technical Tip: Understanding BGP route flow and commands used in different locations
• Traffic flow details.
• Sniffer and debug: Debugging the packet flow
• Session list:

diag sys session filter src <source IP>

diag sys session filter dst <destination IP>

diag sys session list

If it is a tunnel issue then the following details:

• Details of the issue.
• Topology details.
• Traffic flow –FGTA (IPSec tunnel name) ----- (IPSec tunnel name)  FGTB. These details are important for TAC engineers to understand the topology.
• Config file of all FGT involved.
• Tunnel details:

diag vpn ike gateway list

diag vpn tunnel list

get vpn ipsec tunnel summary

• IKE Debugs:

Related article:

Troubleshooting Tip: IPSEC Tunnel (debugging IKE)