Technical Tip: How to troubleshoot SD-WAN On-Ramp tunnel is due to 'could not allocate IPv4 address' in FortiSASE

sbabu · ‎10-30-2025

Description

This article describes how to troubleshoot an SD-WAN on-ramp POP that is unable to connect due to 'could not allocate IPv4 address' in FortiSASE.

Scope

FortiSASE, SD-WAN On-Ramp, FortiGate.

Solution

In the VPN tunnel summary, it was identified that the VPN with the name VPN1_a, tx packets are not increasing.

Logs:
SASE_Backend_Mum $ get vpn ipsec tunnel summary
'VPN1_0' 84.36.24.98:0 selectors(total,up): 1/1 rx(pkt,err): 668942425/0 tx(pkt,err): 918467959/115105
'VPN1_1' 196.219.202.66:0 selectors(total,up): 1/1 rx(pkt,err): 2445162/0 tx(pkt,err): 2425003/22
'VPN1_2' 196.219.9.62:0 selectors(total,up): 1/1 rx(pkt,err): 25611869/0 tx(pkt,err): 23823158/0
'hub1' 54.74.245.240:4500 selectors(total,up): 1/1 rx(pkt,err): 2643477/111 tx(pkt,err): 7994496/192
'VPN1_a' 82.129.175.106:0 selectors(total,up): 1/1 rx(pkt,err): 4473/0 tx(pkt,err): 0/0 --- 11th tunnel connection
'VPN1_3' 217.139.1.74:0 selectors(total,up): 1/1 rx(pkt,err): 3695528/0 tx(pkt,err): 7419388/0
'VPN1_4' 196.219.245.74:0 selectors(total,up): 1/1 rx(pkt,err): 326239882/0 tx(pkt,err): 502089975/71
'VPN1_5' 217.139.143.114:0 selectors(total,up): 1/1 rx(pkt,err): 317797/0 tx(pkt,err): 423839/0
'VPN1_6' 217.139.144.122:0 selectors(total,up): 1/1 rx(pkt,err): 2224754/0 tx(pkt,err): 3192109/0
'VPN1_7' 217.139.20.118:0 selectors(total,up): 1/1 rx(pkt,err): 14033727/0 tx(pkt,err): 19389304/0
'VPN1_8' 217.139.20.122:0 selectors(total,up): 1/1 rx(pkt,err): 1232994/0 tx(pkt,err): 1658015/0
'VPN1_9' 217.139.1.202:0 selectors(total,up): 1/1 rx(pkt,err): 14955604/0 tx(pkt,err): 20284734/0

With the below VPN config, only 10 dial-up VPN clients will be able to establish an IPSEC tunnel with FortiSASE. Hence, if an 11th device tries to connect to FortiSASE in debug, an error will be seen as could not allocate IPv4 address.

VPN config on FortiSASE Backend Firewall:

SASE_Backend_Mum $ edit "VPN1"
set type dynamic
set interface "port4"
set ike-version 2
set peertype any
set net-device disable
set exchange-interface-ip enable
set mode-cfg enable
set proposal aes256-sha256
set add-route disable
set dpd on-idle
set network-overlay enable
set network-id 1
set ipv4-start-ip 10.248.1.11
set ipv4-end-ip 10.248.1.20
set ipv4-netmask 255.255.255.0

In IKE debugs collected on the backend FortiGate Firewall, an error is identified: 'could not allocate IPv4 address'.

Commands:

diagnose vpn ike log filter dst-addr4 82.129.175.106
diagnose debug console timestamp enable
diagnose debug app ike -1
diagnose debug enable

Logs:

2025-10-26 11:36:17.489458 ike 0:VPN1:1348: mode-cfg type 7 request 45:'466F727469476174652D353030452076372E322E392C6275696C64313638382C323430383133202847412E4D29'
2025-10-26 11:36:17.489696 ike 0:VPN1:1348: mode-cfg received APPLICATION_VERSION 'FortiGate-500E v7.2.9,build1688,240813 (GA.M)'
2025-10-26 11:36:17.489929 ike 0:VPN1:1348: mode-cfg type 1 request 0:''
2025-10-26 11:36:17.490170 ike 0:VPN1: could not allocate IPv4 address
2025-10-26 11:36:17.490412 ike 0:VPN1:1348: could not allocate IPv4 address
2025-10-26 11:36:17.490651 ike 0:VPN1:1348: mode-cfg type 2 request 0:''
2025-10-26 11:36:17.490891 ike 0:VPN1:1348: mode-cfg type 13 request 0:''

This error occurred because the configured IP-Pool got exhausted under VPN settings. Hence, in the FortiSASE portal, increase the pool range to make a new connection UP.

Technical Tip: How to troubleshoot SD-WAN On-Ramp tunnel is due to 'could not allocate IPv4 address' in FortiSASE

Description

Scope

Solution

You are leaving our website