I need some advice on finding the errors occuring on an IPSEC tunnel. I recently changed out a firewall from Sophos to Fortinet at one of our sites. The IPSEC tunnel is up and running with no complaints for about two weeks. I just noticed in Zabbix I am getting alerts regarding outbound errors. After running the command fnsysctl ifconfig per interface, the only one that is showing errors is the IPSEC tunnel. I did run a diag debug using the range of potential source IP addresses (it is a /24 subnet) but did not see any "no matching policy" or "denies" regarding traffic to the tunnel. Is there a better way to determine what traffic is being dropped? By doing the filter mentioned, it included all traffic, but curious if there is a way to filter only on traffic entering the tunnel?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@FortiGator Can you please provide the output of the diag command and the counters you are are concerned about.
Below is the output from the fnsysctl ifconfig command:
Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1
RX packets:56760067 errors:0 dropped:0 overruns:0 frame:0
TX packets:43021693 errors:7804059 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:32346291177 (30.1 GB) TX bytes:11435989751 (10.7 GB)
Can you confirm if the error count is increasing periodically or not ? Check the VPN event logs from the time of the alert and verify if there is any ESP error or any other error and share the log.
There are a few possibilities if the error is increasing, the Ipsec is having an anti-reply drop or NPU drop, or else the drop is happening because of a mismatch in a key lifetime at the time of phase 2 or phase 1 rekey, so the best way is to check the event logs and finding a common pattern.
Was finally able to figure this out. The debug I was running was only capturing traffic allowed in the tunnel. After doing a sniffer on the IPSEC interface, I found that the log settings to send syslog to a server on the other end did not have a source address specified and was using the public IP and being dropped. After correcting that, the TXE errors stopped. I appreciate all the responses from the board.
Glad you fixed it, but additionally I'd like to mention that this might have been an MTU issue. Traffic which is denied from entering an IPsec tunnel is not showing up as a transmit error on the hardware level - Layer 3 vs. Layer 1. The syslog packets just might have been too large for an IPsec tunnel so they got fragmented. Any thoughts into this direction?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.