Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
_afriansyah
New Contributor

Created on ‎11-25-2024 08:30 PM

IPSEC Phase1 & Phase2 UP, But No Download Traffic On Brach Site

 

Dear Support Forum,

 

I have an ipsec tunnel problem from branch to HO, where the download traffic from branch to HO remains 0 bytes,
and in the configuration of the ipsec tunnel HO to the branch the peer id (gC.b) appears as the username.

Is there anyone who can help to solve this problem?

IPSEC Tunnel.jpg

 

Labels:
475
0 Kudos
8 REPLIES 8
DPadula
Staff
Staff

Created on ‎11-25-2024 08:50 PM

Are both Fortigates running the same FortiOS version?
Can you see the firewall policy byte counter increasing?

460
0 Kudos
_afriansyah
New Contributor
In response to DPadula

Created on ‎11-25-2024 09:12 PM

Are both Fortigates running the same FortiOS version?
Yes, Running the same FortiOS Version

 

 

Firewall Policy byte counter on Branch

firewall policy.jpg

 

448
0 Kudos
DPadula
Staff
Staff
In response to _afriansyah

Created on ‎11-25-2024 09:29 PM

Run the command 'diagnose netlink device list' few times and confirm that you can see the counters increasing for the tunnel interfaces. 

439
0 Kudos
_afriansyah
New Contributor
In response to DPadula

Created on ‎11-25-2024 11:04 PM

Here the Result @DPadula ,

FortiGate-100F # diagnose netlink device list
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
TestIndosat: 0 0 0 0 0 0 0 0 448732 8426 197398 0 0 0 0 0

 

diagnose netlink device list.png

399
0 Kudos
_afriansyah
New Contributor
In response to _afriansyah

Created on ‎11-25-2024 11:05 PM

FortiGate-100F # diagnose netlink device list
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
TestIndosat: 0 0 0 0 0 0 0 0 448732 8426 197398 0 0 0 0 0
Site2HO: 0 0 0 0 0 0 0 0 9679449 254556 841 0 0 0 0 0

395
0 Kudos
DPadula
Staff
Staff
In response to _afriansyah

Created on ‎11-26-2024 01:00 PM

Did you generated some VPN traffic while you checked the output of 'diagnose netlink device list'? The idea is confirm that the counters Bytes and packets are increasing while traffic cross the VPN tunnel. So run the command, generated some traffic, wait few seconds, run the command again.

 

In case you don't see any increase, use the commands provided by @sw2090 to understand what is happening with the traffic, it will show which firewall policy matches the traffic. 

Once you confirm that traffic is matching the right policy you know that it is a cosmetic problem.

318
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎11-25-2024 11:10 PM

Do the phase2 selectors match?

Do a flow debug on cli:

 

dia debug ena

dia debug flow fliter clear

die debug flow filter saddr/daddr/proto/... (execute it without params and it will show a list)

dia debug flow trace start <numberofpackets>

 

start that on both FGT and then produce some traffic on the vpn and the flow will on both sides show you the packet flow. 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
382
0 Kudos
_afriansyah
New Contributor
In response to sw2090

Created on ‎12-01-2024 05:49 PM

Halo @sw2090 ,
Phase 1 & Phase 2 match, and already up
IPSEC problem only with ISP "JSN"

 

i try to use another ISP, IPSEC with another ISP work normally, 
download and upload traffic no issue from Branch to HO.

is problem with the ISP "JSN" ?

199
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.