Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor


I need some advice on finding the errors occuring on an IPSEC tunnel. I recently changed out a firewall from Sophos to Fortinet at one of our sites. The IPSEC tunnel is up and running with no complaints for about two weeks. I just noticed in Zabbix I am getting alerts regarding outbound errors. After running the command fnsysctl ifconfig per interface, the only one that is showing errors is the IPSEC tunnel. I did run a diag debug using the range of potential source IP addresses (it is a /24 subnet) but did not see any "no matching policy" or "denies" regarding traffic to the tunnel. Is there a better way to determine what traffic is being dropped? By doing the filter mentioned, it included all traffic, but curious if there is a way to filter only on traffic entering the tunnel? 

Contributor II

@FortiGator Can you please provide the output of the diag command and the counters you are are concerned about. 

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe

Below is the output from the fnsysctl ifconfig command:


Link encap:Unknown
RX packets:56760067 errors:0 dropped:0 overruns:0 frame:0
TX packets:43021693 errors:7804059 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:32346291177 (30.1 GB) TX bytes:11435989751 (10.7 GB)


Can you confirm if the error count is increasing periodically or not ? Check the VPN event logs from the time of the alert and verify if there is any ESP error or any other error and share the log.

There are a few possibilities if the error is increasing, the Ipsec is having an anti-reply drop or NPU drop, or else the drop is happening because of a mismatch in a key lifetime at the time of phase 2 or phase 1 rekey, so the best way is to check the event logs and finding a common pattern.

New Contributor

Was finally able to figure this out. The debug I was running was only capturing traffic allowed in the tunnel. After doing a sniffer on the IPSEC interface, I found that the log settings to send syslog to a server on the other end did not have a source address specified and was using the public IP and being dropped. After correcting that, the TXE errors stopped. I appreciate all the responses from the board.

Esteemed Contributor III

Glad you fixed it, but additionally I'd like to mention that this might have been an MTU issue. Traffic which is denied from entering an IPsec tunnel is not showing up as a transmit error on the hardware level - Layer 3 vs. Layer 1. The syslog packets just might have been too large for an IPsec tunnel so they got fragmented. Any thoughts into this direction?


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors