I need some advice on finding the errors occuring on an IPSEC tunnel. I recently changed out a firewall from Sophos to Fortinet at one of our sites. The IPSEC tunnel is up and running with no complaints for about two weeks. I just noticed in Zabbix I am getting alerts regarding outbound errors. After running the command fnsysctl ifconfig per interface, the only one that is showing errors is the IPSEC tunnel. I did run a diag debug using the range of potential source IP addresses (it is a /24 subnet) but did not see any "no matching policy" or "denies" regarding traffic to the tunnel. Is there a better way to determine what traffic is being dropped? By doing the filter mentioned, it included all traffic, but curious if there is a way to filter only on traffic entering the tunnel?
Can you confirm if the error count is increasing periodically or not ? Check the VPN event logs from the time of the alert and verify if there is any ESP error or any other error and share the log.
There are a few possibilities if the error is increasing, the Ipsec is having an anti-reply drop or NPU drop, or else the drop is happening because of a mismatch in a key lifetime at the time of phase 2 or phase 1 rekey, so the best way is to check the event logs and finding a common pattern.
Was finally able to figure this out. The debug I was running was only capturing traffic allowed in the tunnel. After doing a sniffer on the IPSEC interface, I found that the log settings to send syslog to a server on the other end did not have a source address specified and was using the public IP and being dropped. After correcting that, the TXE errors stopped. I appreciate all the responses from the board.
Glad you fixed it, but additionally I'd like to mention that this might have been an MTU issue. Traffic which is denied from entering an IPsec tunnel is not showing up as a transmit error on the hardware level - Layer 3 vs. Layer 1. The syslog packets just might have been too large for an IPsec tunnel so they got fragmented. Any thoughts into this direction?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.