Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
diasdm
New Contributor II

Created on ‎06-24-2025 05:20 AM Edited on ‎06-24-2025 05:32 AM

VPN tunnel status SNMP OID

I have a FortiGate 1000D, v7.0.13, with some VPN connections.

 

Some VPNs have multiple "Phase 2", and the IPsec tunnel only goes down when all of them are down.

 

I'm monitoring the device with Zabbix, which reads the 1.3.6.1.4.1.12356.101.12.2.2.1.3 SNMP table to monitor FortiGate's VPNs. However, I noticed that this table only shows the status of the "Phase 2" selectors and not the tunnel status.

 

When a "Phase 2" status goes down, Zabbix generates an event, but I don't usually need to monitor these alerts.

So, I'm looking for an SNMP OID that shows only the actual tunnel status, not its "phase 2 selector".

 

Here's a picture of the IPSec Monitor Dashboard to better illustrate my question. I've marked the actual status I'm looking for in the MIB.

vpn_status.png

 

Any thoughts on this matter?

Labels:
1126
0 Kudos
7 REPLIES 7
Jean-Philippe_P
Moderator
Moderator

Created on ‎06-26-2025 09:18 PM

Hello diasdm, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Regards,
Jean-Philippe - Fortinet Community Team
1072
Jean-Philippe_P
Moderator
Moderator

Created on ‎06-28-2025 08:10 AM

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Regards,
Jean-Philippe - Fortinet Community Team
1052
Jean-Philippe_P
Moderator
Moderator

Created on ‎06-30-2025 01:10 AM

Hello again,

 

I found this solution. Can you tell me if it helps, please?

 

To monitor the actual status of the IPsec tunnel (not just the Phase 2 selectors) using SNMP on your FortiGate device, you should use the OID specifically designed for monitoring the tunnel status. Here’s what you can do:

 

  1. Use the Correct OID for Tunnel Status: For site-to-site IPsec tunnels, use the OID `.1.3.6.1.4.1.12356.101.12.4.2.1.26` (fgVpn2TunStatus). This OID provides the current status of the tunnel, indicating whether it is up or down.

  2. Interpret the OID Values:
    - When you query this OID, it will return an INTEGER value: - `1` means the tunnel is down.
    - `2` means the tunnel is up.

  3. Configure Zabbix to Monitor the Correct OID: Update your Zabbix configuration to monitor the OID `.1.3.6.1.4.1.12356.101.12.4.2.1.26` instead of the Phase 2 selector OID.

 

This will ensure that you receive alerts based on the actual tunnel status. By following these steps, you should be able to monitor the overall status of your IPsec tunnels more effectively.

Regards,
Jean-Philippe - Fortinet Community Team
997
0 Kudos
diasdm
New Contributor II
In response to Jean-Philippe_P

Created on ‎06-30-2025 04:33 AM

Hey Jean. Thanks for the reply.

 

From the fgVpn2TunTable MIB table, I found that it doesn't accurately reflect the actual tunnel status.

 

For example, querying the status entry returns multiple statuses.

$ snmpbulkwalk -v 2c -c [community] [IP] -Oe -Ot -On 1.3.6.1.4.1.12356.101.12.4.2.1.2
$ snmpbulkwalk -v 2c -c [community] [IP] -Oe -Ot -On 1.3.6.1.4.1.12356.101.12.4.2.1.26

 

Here's a table with some examples.

| fgVpn2TunPhase1Name | fgVpn2TunStatus | Status |
| ---------------------------------------- | ----------------------------------------- | ------ |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.51.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.51.1 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.36.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.36.1 | 1 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.34.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.34.1 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.34.3 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.34.3 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.70.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.70.1 | 1 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.11.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.11.1 | 1 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.71.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.71.1 | 1 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.71.333 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.71.333 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.78.5 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.78.5 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.78.6 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.78.6 | 1 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.55.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.55.1 | 2 |
| .1.3.6.1.4.1.12356.101.12.4.2.1.2.14.1 | .1.3.6.1.4.1.12356.101.12.4.2.1.26.14.1 | 2 |

 

Note that the index second-to-last value is repeated and the last index value changes when there is more than one Phase 2 selector.

 

If a tunnel has multiple Phase 2 selectors, multiple entries are returned, one for each Phase 2 selector.
Consequently, there are multiple statuses for each tunnel, which does not accurately represent the status shown on the IPsec monitor dashboard.

975
Jean-Philippe_P
Moderator
Moderator
In response to diasdm

Created on ‎06-30-2025 05:00 AM

Hi again diasdm!

 

Please not that my answers are from a ChatGPT engine :)

 

I found this answer for your request:

 

The behavior you're observing is due to the way SNMP represents IPsec tunnels with multiple Phase 2 selectors. Each Phase 2 selector is treated as a separate entry in the SNMP table, which results in multiple status entries for a single tunnel. This can lead to confusion when trying to determine the overall status of the tunnel. To accurately monitor the overall status of an IPsec tunnel, consider the following approach:

 

  1. Aggregate Status: Since the tunnel is considered "up" if at least one Phase 2 selector is up, you can aggregate the statuses. If any of the entries for a tunnel have a status of `2` (up), consider the tunnel as up.

  2. Custom Monitoring Logic: Implement custom logic in your monitoring tool (e.g., Zabbix) to evaluate the status of all Phase 2 selectors for a tunnel. If all selectors are down, then the tunnel is down.

  3. Use CLI Commands: As an alternative, use CLI commands to verify the tunnel status. Commands like `get vpn ipsec tunnel summary` or `diag vpn tunnel list` can provide a consolidated view of the tunnel status.

 

By using these methods, you can achieve a more accurate representation of the tunnel status as shown on the IPsec monitor dashboard.

Regards,
Jean-Philippe - Fortinet Community Team
967
funkylicious
SuperUser
SuperUser
In response to diasdm

Created on ‎06-30-2025 06:32 AM Edited on ‎06-30-2025 06:33 AM

hi,

based on https://community.fortinet.com/t5/FortiGate/Technical-Tip-SNMP-OIDs-for-monitoring-IPsec-tunnel-stat... the OID  .1.3.6.1.4.1.12356.101.12.4.2.1.26 should be the correct one, and the status would be either 1 - down or 2 - up, i've tested it and appears to display correctly on my end.

"jack of all trades, master of none"
"jack of all trades, master of none"
950
diasdm
New Contributor II

Created on ‎07-17-2025 04:01 AM

I guess there's no specific overall tunnel status OID or phase 1 selectors OIDs. Only phase 2 statuses. :\

 

Anyway...

The "FORTINET-FORTIGATE-MIB" MIB file has the same description for both "non-dial-up" VPN tables.

 

fgVpnTunTable - Table of non-dial-up IPsec VPN tunnels
fgVpn2TunTable - Table of non-dial-up IPsec VPN tunnels

 

In the article " ", we see that these two tables are provided for "site-to-site IPsec tunnels".

 

So, what's the actual difference between these two tables, and which one is best for monitoring "non-dial-up" VPNs?

715
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.