Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
slouw
Contributor

Created on ‎10-30-2023 10:30 PM Edited on ‎10-30-2023 10:31 PM

Why does my new tunnel interface not come up or at least try and negotiate?

Why would an IPsec tunnel not come up?
I have configured such a tunnel copying a production setup I know to be working.
The symptom I am troubleshooting is why the new tunnel interface remains inactive.
I can ping from the 40F CLI over the internet to the underlay tunnel endpoint (.172)
This is confirmed with traceroute showing path to the internet (192.168.1.1 is the Starlink next hop)
Starlink obviously implements NAT on the way out to the net.
The new tunnel interface remains inactive.
Sniffer trace
diagnose sniffer packet wan 'host 203.57.169.172'
Show no packets IKE or otherwise being sent (or received)
It will show the pings out and back if I ping the .172 tunnel destination as mentioend above.
What am I doing wrong?

Please let me know if you want other CLI/GUI outputs.

Much much appreciate any help.....

2023-10-31 15h10m27s0009 Tunnel down.jpg

Labels:
3693
0 Kudos
1 Solution
fricci_FTNT
Staff
Staff
In response to slouw

Created on ‎11-02-2023 04:44 AM

Hi @slouw ,

Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that  firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.

Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

3438
19 REPLIES 19
srajeswaran
Staff
Staff

Created on ‎10-30-2023 10:47 PM

Can you ping/reach the remote gateway? You may follow the troubleshooting steps on below article to begin.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

 

Please let us know at which stage your tunnel is stuck and then we can check further. I would recommend you to check the VPN configuration is matching on both sides as a first step.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

2049
0 Kudos
slouw
Contributor
In response to srajeswaran

Created on ‎10-30-2023 11:30 PM

Since

1. The tunnel state is inactive/down; and 

2. There is no attempt to dial out and initiate IKE

I end up quickly at step 4 of the above mentioned Troubleshooting guide. See below.
Please note the question in this post is very specific - why will my tunnel interface not come up. It remains down.

Thanking you.....

2023-10-31 16h18m53s38 Forum Post2.jpg

2045
0 Kudos
srajeswaran
Staff
Staff
In response to slouw

Created on ‎10-30-2023 11:48 PM

There is no interested traffic towards the tunnel could be one reason. Can you initiate a Ping towards the remote site protected resources and check if the tunnel comes up. Please make sure there is a policy allowing traffic via the tunnel interface.

Its not clear if auto-negotiate is enabled, please enable the same to bring up the tunnel autoatically.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-the-FortiGate-unit-to-bring-up-IPSec-V...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

2104
slouw
Contributor
In response to srajeswaran

Created on ‎10-31-2023 02:16 PM

This is not solved!

Sorry I cannot see how to "Unsolve" this post.

My bad.

Thanks @srajeswaran I have tried this but no change.
2023-11-01 07h12m47s44 Interesting traffic.jpg

1990
0 Kudos
smayank
Staff
Staff

Created on ‎10-31-2023 05:11 AM

Hello 

This sometimes selectors shows down when you check tunnel status.
get vpn ipsec tunnel summary

Please check this output and check if tunnel is up or not.

Mayank Sharma

2016
0 Kudos
slouw
Contributor
In response to smayank

Created on ‎10-31-2023 02:27 PM

2023-11-01 07h17m05s45 get vpn ipsec tunnel summary.jpg

1985
0 Kudos
hbac
Staff
Staff

Created on ‎10-31-2023 08:41 AM

Hi @slouw,

 

Since there is no traffic/debug outputs. Please make sure the interface is correct. I see the working one is using wan2 and the new one is using wan. Please make sure FortiGate can reach the remote peer via wan interface. You can run this command to verify the static route "get router info routing-table detail 203.57.169.172". 

 

Regards, 

2002
0 Kudos
slouw
Contributor
In response to hbac

Created on ‎10-31-2023 02:51 PM

Since there is no traffic/debug outputs. Please make sure the interface is correct.

I see the working one is using wan2 and the new one is using wan.

I confirm the control setup does indeed use interface wan2 whereas my broken test setup uses wan.

Please make sure FortiGate can reach the remote peer via wan interface.

Is the evidence below sufficient evidence that the underlay far end is available via the internet?

This ping is travelling out over a Starlink unit and back over the internet

You can run this command to verify the static route "get router info routing-table detail 203.57.169.172".

See below

2023-11-01 07h31m08s47 Proof.jpg

1982
0 Kudos
srajeswaran
Staff
Staff
In response to slouw

Created on ‎10-31-2023 10:31 PM

Can you share the below outputs?

show vpn ipsec phase1-interface

show vpn ipsec phase2-interface

show firewall policy (please share the policy for VPN )

 

diagnose vpn tunnel list

diagnose vpn tunnel list name <vpn name>

get ipsec tunnel list

get vpn ipsec tunnel details

get vpn ipsec stats tunnel

 

Then collect debug as below.

 

diagnose vpn ike log filter clear

diagnose vpn ike log filter dst_addr4 <peer IP>

diagnose debug application ike -1

diagnose debug enable

diagnose vpn ike gateway clear <vpn name>

 

Once you see the logs, disable debug.

diagnose debug disable

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1934
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.