Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JoaquimdeSousa
New Contributor

Created on ‎01-09-2025 09:04 AM

Fortinet tunnel is showing inactive state

Hello All,

I have this issue. FortiGate 40F (v6.4.15 build2095)

Fortinet tunnel is showing inactive state

Reproduction : I use the GUI not the CLI.

1. I created a vpn user

2. I assigned this user to a vpn group

3. I used th VPN wizard to create an Dialup FortiClient (Windows, Mac OS, Android) :
-> https://docs.fortinet.com/document/fortigate/6.4.15/administration-guide/785501/forticlient-as-dialu...

4. In Firewall & Objects
-> Addresses :
-> Created automatically -> vpn1_range = 192.168.1.1-192.168.1.254
-> Created automatically -> vpn1_split = members = lan
-> Firewall Policy :
-> Created automatically -> vpn_vpn1_remote_0

-> The VPN was created, but shows INACTIVE.

I really don't understand. Can some help, please ?

Kind Regards,
Jo

1.jpg

Labels:
352
0 Kudos
12 REPLIES 12
dingjerry_FTNT
Staff
Staff

Created on ‎01-09-2025 10:29 AM Edited on ‎01-09-2025 10:29 AM

Hi @JoaquimdeSousa ,

 

Please get at least one client connected to the VPN, then check the status.

Regards,

Jerry
262
0 Kudos
JoaquimdeSousa
New Contributor

Created on ‎01-09-2025 11:18 AM

Hi @dingjerry_FTNT,

 

Thanks for the quick reply.

 

On the client side : I tested using https://www.fortinet.com/support/product-downloads
-> FortiClient VPN for Windows

On the client side, the connection keeps timing out after some seconds.

 

On the Fortigate 40F, there is no change, it still displays "inactive".

 

I send you down below a screenshot of the events.

 

Kind Regards,
Jo

4.png

 

 

243
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to JoaquimdeSousa

Created on ‎01-09-2025 11:27 AM

Hi @JoaquimdeSousa ,

 

I hope that you have only one IPSec VPN tunnel there.  If so, please run the following CLI commands:

 

diag debug reset

diag debug application ike -1

diag debug enable

 

Then try to connect again and collect the outputs.

 

To disable the debug:

 

diag debug reset

diag debug disable

diag debug application ike 0

Regards,

Jerry
234
0 Kudos
JoaquimdeSousa
New Contributor

Created on ‎01-09-2025 11:58 AM

Hi @dingjerry_FTNT,

 

Thank you again for the quick reply.

But I Still get the same issue.

 

Log:
date=2025-01-09 time=20:39:57 eventtime=1736451597809526604 tz="+0100" logid="0101037134" type="event" subtype="vpn" level="notice" vd="root" logdesc="IPsec phase 1 SA deleted" msg="delete IPsec phase 1 SA" action="delete_phase1_sa" remip=XXX.XXX.XXX.XXX locip=192.168.68.99 remport=500 locport=500 outintf="wan" cookies="1678d6acabd314f9/b7e46b8981618a7d" user="N/A" group="N/A" useralt="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="vpn1"

 

I see that port 500 is trying to connect. But I did not create any VirtualIP with port 500.

 

Could it be that ?

If yes, how should I do it ?

Regards,
Jo

5.png

224
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to JoaquimdeSousa

Created on ‎01-09-2025 12:09 PM

Hi there, 

 

For dialup VPN, it will connect via port 500, then switch to port 4500.

 

So please run the debug commands and collect the IKE outputs.

 

I suspect that your client's phase1 settings do not match the ones on FGT. 

Regards,

Jerry
213
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-09-2025 12:17 PM

Hi @JoaquimdeSousa ,

 

You may also:

 

1) Capture a screenshot of phase1 settings in your FortiClient;

2) Capture a screenshot of phase1 settings on your FortiGate;

Regards,

Jerry
196
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-09-2025 12:58 PM

Hi @JoaquimdeSousa ,

 

Two more settings you need to check:

 

1) Make sure that the Nat Traversal is enabled;

2) As per your screenshot:

 

 

VPN.jpg

Why do you use /255.255.255.255 for the network range?

Regards,

Jerry
183
0 Kudos
JoaquimdeSousa
New Contributor

Created on ‎01-09-2025 02:01 PM

Hi @dingjerry_FTNT,

 

Thank you once again for all your advices. Sorry for the delay.

 

1. Following your advice, I changed the network range in the VPN to 255.255.255.0.
I suppose it must be the same as the LAN interface. But I may be wrong ?

 

2. I checked Nat Traversal and It's seems to be checked.

 

3. Here below are the screenshots for my FortiClient app and my FortiGate40F
FortiClient is is French.

Regards,
Jo

 

FORTIGATE40F & FORTICLIENT

3.jpg

 

91
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to JoaquimdeSousa

Created on ‎01-09-2025 02:33 PM

Hi @JoaquimdeSousa ,

 

Sorry, your screenshots are too small to read.

 

As per this KB:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-dial-up-full-tunnel-with-FortiClient...

 

It seems that you may use /255.255.255.255.  But please do not use the same network range as your internal interface.

 

 

Regards,

Jerry
71
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.