Technical Tip: Sync VPN tunnel back to VPN Manager after re-adding the device

When VPN tunnels are created by the VPN manager for some reason FortiGate was removed from Fortimanager. This will put the device out of sync with Fortimanager. Upon adding the device back, VPN tunnels will be removed on the next policy package install.

To avoid the removal of tunnels, follow these steps: 

1. Confirm the tunnel number of the device being added back. It can be confirmed from a managed Hub device when using the 'Hub & Spoke' topology or any managed device when using the 'Site-to-Site'(mesh) topology.

Note:

The tunnel names installed to the FortiGate device by VPN Manager have Hexadecimal sequence and the ID of vpnmgr nodes in the FortiManager database is in Decimal format. Therefore the 10^th vpnmgr node has its tunnel named as 1a and 16^th node as 10. 

2. Check the VPN manager node in the Policy DB using the command in FortiManager CLI:

exe fmpolicy print-adom-object 3 1005 all

Example of CLI output showing the vpnmgr node for 'VPN-Mesh_a' tunnel:

3. Once identified the id missing from the 'vpnmgr node' table, create a script by copying syntax of one of the vpnmgr nodes in the same community (make sure to use the syntax of the correct community, if there is more than 1).
4. Create a CLI script to run on 'Policy Package or ADOM Database', for example, the device had ID 4 when the tunnel was created:

config vpnmgr node

edit "4"
        set vpntable "VPN"
        set role spoke
        set iface "wan1"
        set automatic_routing enable
        set net-device disable
        set network-id 0
            config protected_subnet
                edit 1
                    set addr "FABRIC_DEVICE"

                next
            end
                set _scope "FortiGate-200E"-"root"
            next

5. Run the script, it will add the vpnmgr node back and further installation to the device will not remove the tunnel.