| Description | This article describes why zero bytes show for incoming and outgoing traffic once both phases of the IPsec tunnel are UP. |
| Scope | FortiOS v7.x.x. |
| Solution |
There are some possible causes:
Check the routing table using the command below on both sides.
get router info routing-table details <destination (remote site)>
Ensure that the output shows the VPN interface.
Run a continuous ping from the local site to another site. This can be done by a device connected to the FortiGate LAN interface.
ping <remote IP> -t
If there is no device available, a ping test can also be executed from the FortiGate CLI. In that case, specify the source IP.
exe ping-options source <FortiGate internal interface IP(also be part of Phase2 selector of phase-2)> exe ping-options repeat count 99 exe ping <remote IP>
Run packet sniffer and debug the flow command on both sides.
CLI 1:
diagnose sniffer packet any “host <destination-IP> and icmp” 4 0 l
CLI 2:
diagnose debug reset diagnose debug flow filter addr <destination-IP> <Source-IP> and diagnose debug flow show function-name enable diagnose debug flow show iprope enable diagnose debug console timestamp enable diagnose debug flow trace start 999 diagnose debug enable
To stop the debug:
diagnose debug dis
Check the flow filter and look for 'offloading' or 'drop'.
If the results are showing on one side, check for the ESP packets. Run the following sniffer on both sides.
diagnose sniffer packet any “host <remote-gateway-IP> and esp” 4 0 l
If there are no ESP packets and only port 500 traffic, it is possible that ESP packets are being dropped in transit.
In order to test, force the NAT-T on the phase1 configuration of the FortiGate.
After, look for port 4500 traffic using the following packet sniffer command.
diagnose sniffer packet any “host <remote-gateway-IP> and port 4500 ” 4 0 l
If traffic is still not showing in the IPsec monitor, raise a ticket with TAC with all of the above information.
Related articles: |
