I have an IPSEC VPN built on a Fortinet 200E and working between our HQ and Azure. I have several VM's in Azure and traffic flows successfully. I now want to route traffic from some remote locations to Azure via the VPN. These locations are currently connected to HQ.
Basic topology:
HQ - Lan1
Remote Locations - Wan1
Internet - Wan2
I have policies for HQ to Azure (Lan1 --> Azure VPN interface) and the remote locations (Wan1 --> Azure VPN interface). When pinging from a remote location I see the traffic handed off to the Azure VPN but nothing comes back. I see no traffic when pinging from Azure to the remote location.
I believe that this indicates a problem on the Azure side but I have been unsuccessful in capturing packets to verify this.
Dows anyone have any experience in this scenario?
Thanks
Hello,
In case traffic is lost between FortiGate and Azure side you may consider to decrypt ESP packets. Please find the details by following the link below:
 
					
				
		
Created on 06-08-2022 02:23 AM
Hi Team,
 kindly execute the below commands on  the fortigate firewall and share us the output.
Open cli of the firewall at HQ
#diag sniffer packet any 'host a.b.c.d and icmp' 4 0 a where a.b.c.d is the remote destination ip which is the private ip.
please do the continous ping to the destination ip and once the logs are generated ,please download and attach it to the case.
open another console @HQ
#diag sniffer packet any 'host a.s.d.f and icmp' 6 0 a where a.s.d.f is the remote gateway ip which is the public ip.
please do the continous ping to the gateway ip and once the logs are generated you can download and share it here.
2)Kindly share us the logs for the below commands by executing on fortigate firewall.
#diagnose vpn tunnel list .
3)In another console
#diag debug reset
#diag debug flow filter addr m.n.o.p ===>where m.n.o.p is the destination ip which is the private ip.
#diag debug flow filter proto 1
#diag debug flow show function-name enable
#diag debug flow trace start 1000
#diag debug enable
Please do the continous ping to the destination ip and share us the logs.
Once the logs are generated please execute below command to disable the debug logs.
#diag debug disable
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.