Hi All,

We are having issues in our MPLS - IPsec VPN Tunnel, please see attached network diagram for reference.

Whenever we up the tunnel in ISP1, we have no problem.

1. We can access the ATM and Blackbox Switch from the server and vice versa. We also have a test laptop in the client side which I forgot to in include in the diagram.

2. We can traceroute the traffic and see that it is passing through the expected path, which shows the IP address from both sides in ISP1.

3. Even on Fortigate logs, we can see that traffic is using the right policy and static route.

The problem start when we swing to ISP2, for HA testing.

1. We can still access the test laptop from the server and vice versa. We use the test laptop first before we proceed with adding the ATM and Blackbox, which is what we did in the ISP1.

2. When we traceroute the traffic, we can still see that it is passing through the router in the ISP1 of the client side.

3. The client also tried to traceroute from their end, and it can reach the server, but we cannot see the IP address of our Head Office router and Fortigate firewall when they send the screenshot of the traceroute result.

4. We tried to disable the tunnel of ISP1, disable the static route from both firewall and even the policy, and still when we do a traceroute, we can still see that it is passing through the ISP1 of the client router. The client tried again to traceroute, but still we cannot see our IP addresses.

5. When we check the Forward Traffic in the Fortigate, it shows that it is passing through the right policy, which is using the ISP2 tunnel.
6. When I checked the "diag debug application ike -1" command and enabled it, it is still passing through the tunnel in ISP1 with error "error 101:Network is unreachable" and "could not send IKE Packet(ident_i1send)". Maybe because the tunnel in ISP1 is down.

Does anyone knows why is this happening?

Thank you so much who can help us.