Hi SJ,

To troubleshoot the issue where ADVPN dynamic tunnels are not getting established due to a failed addition of dynamic IPsec SA caused by a route clash:

1. Check Routing Configuration: Verify the routing table on the FortiGate to ensure no conflicting routes are causing the clash. Check for any overlapping subnets or conflicting static routes that might be causing the route clash.
2. Verify Phase 1 and Phase 2 Settings: Ensure that the Phase 1 and Phase 2 settings for the ADVPN tunnels are correctly configured on all devices.  Check for any misconfigurations in the IPsec settings that could be preventing the establishment of dynamic tunnels.
3. Analyze IPsec SA Status: - Use the command 'diag vpn ike status' to check the IKE and IPsec SA status for the ADVPN tunnels. - Look for any errors or inconsistencies in the SA establishment process that could indicate the cause of the failure.
4. Troubleshoot Route Reflection: If using BGP in the ADVPN setup, ensure that the route reflector configuration is correctly set up on the hub FortiGate. Check the BGP neighbor settings and verify that the route reflector client is enabled on the hub device.
5. Clear Existing IPsec SAs: If there are existing IPsec SAs causing conflicts, you may need to clear them using the command 'clear vpn ipsec-sa' to remove any stale or conflicting SAs.
6. Monitor Logs and Debug Output: Enable debug logging for IPsec and routing on the FortiGate to capture detailed information about the failed SA addition and route clash. - Analyze the logs to identify the specific cause of the issue and take corrective actions accordingly.