Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Printout explanation "diagnose vpn tunnel list"

In the following printout 'expire=21511/0B' is a countdown to Child SA's key expiry, starting from value specified in Phase 2's 'keylifeseconds' attribute (in my case, 27000).

 

However, the printout also has a 'timeout=26732/27000' where 26732 doesn't change at all. My question - what does this number represent?

 

[size="2"]

FGT60D-1 # diagnose vpn tunnel list
:
proxyid=ToAzureVPNGateway3 proto=0 sa=1 ref=2 serial=26
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:172.16.64.0/255.255.192.0:0
  SA: ref=41 options=10024 type=00 soft=0 mtu=1438 expire=21511/0B replaywin=0
       seqno=10e03 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=26732/27000
  dec: spi=f1c15bf3 esp=aes key=16 9136fd97fab9c206f27055d082c83414
       ah=sha1 key=20 5b69a33bc129346a2018d6fbde9d5bb51693e231
  enc: spi=127f9a4c esp=aes key=16 925357d548af93d4fa664653cf3a8e19
       ah=sha1 key=20 ea362f3413d292a459939cf8b5f8985b1bc12331
  dec:pkts/bytes=100993/51118804, enc:pkts/bytes=84002/31649950
  npu_flag=03 npu_rgwy=A.A.A.A npu_lgwy=B.B.B.B npu_selid=19
[/size]

1 REPLY 1
Toshi_Esumi
SuperUser
SuperUser

Looks like they forgot to update something in diag output. I recommend you open a TT with TAC. If you run "get vpn ipsec tun name ToAzureVPNGateway3", you would see like "lifetime/rekey: 27000/21511".

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors