Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
slouw
Contributor

Created on ‎10-30-2023 10:30 PM Edited on ‎10-30-2023 10:31 PM

Why does my new tunnel interface not come up or at least try and negotiate?

Why would an IPsec tunnel not come up?
I have configured such a tunnel copying a production setup I know to be working.
The symptom I am troubleshooting is why the new tunnel interface remains inactive.
I can ping from the 40F CLI over the internet to the underlay tunnel endpoint (.172)
This is confirmed with traceroute showing path to the internet (192.168.1.1 is the Starlink next hop)
Starlink obviously implements NAT on the way out to the net.
The new tunnel interface remains inactive.
Sniffer trace
diagnose sniffer packet wan 'host 203.57.169.172'
Show no packets IKE or otherwise being sent (or received)
It will show the pings out and back if I ping the .172 tunnel destination as mentioend above.
What am I doing wrong?

Please let me know if you want other CLI/GUI outputs.

Much much appreciate any help.....

2023-10-31 15h10m27s0009 Tunnel down.jpg

Labels:
4023
0 Kudos
1 Solution
fricci_FTNT
Staff
Staff
In response to slouw

Created on ‎11-02-2023 04:44 AM

Hi @slouw ,

Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that  firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.

Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.

View solution in original post

3768
19 REPLIES 19
slouw
Contributor
In response to srajeswaran

Created on ‎10-31-2023 11:21 PM

Thank you @srajeswaran I do appreciate continued help.

1/2 CLI outputs

Outputs are supplied as requested for the following:
show vpn ipsec phase1-interface

show vpn ipsec phase2-interface
show firewall policy (please share the policy for VPN )
diagnose vpn tunnel list
diagnose vpn tunnel list name <vpn name>
get vpn ipsec stats tunnel

These outputs are not available:
Similar outputs are supplied:
* get ipsec tunnel list (get vpn ipsec tunnel summary)
* get vpn ipsec tunnel details (get vpn ipsec tunnel details)

2023-11-01 15h44m45s86 show vpn ipsec phase1-interface.jpg2023-11-01 15h48m42s88 show vpn ipsec phase2-interface.jpg2023-11-01 15h48m56s89 show firewall policy.jpg2023-11-01 15h49m12s90 diagnose vpn tunnel list.jpg2023-11-01 15h49m31s92 diagnose vpn tunnel list name pri_bms.jpg2023-11-01 15h49m59s95 get vpn ipsec stats tunnel.jpg

2023-11-01 15h52m03s93 get vpn ipsec tunnel summary.jpg2023-11-01 15h52m23s94 get vpn ipsec tunnel details.jpg

2/2 Debug outputs

As a courtesy and for completeness sake I went through the motions of collecting debugs. These was NO output as expected. I have tried this several times now with no output as a result.
Same with sniffer output. The only sniffer output I ever see are pings the the far end underlay address which I generate. Nothing else. No IKE packets as I would expect from time to time to initiate a connection. Nothing
2023-11-01 16h13m16s96 debug outputs.jpg

 

1830
0 Kudos
srajeswaran
Staff
Staff
In response to slouw

Created on ‎10-31-2023 11:24 PM

When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1827
0 Kudos
slouw
Contributor
In response to srajeswaran

Created on ‎11-01-2023 07:13 PM

When sniffer/debug is running, can you try clearing the tunnel "diagnose vpn ike gateway clear <vpn name>" to make sure the tunnel tries to negotiate and see if there are any outputs in debug?

The output below was taken with added policy rule as requested in later post. See post below - "You also need a policy from your LAN interface"

2023-11-02 11h56m34s0016 Debugs Take2.jpg

1805
0 Kudos
slouw
Contributor
In response to slouw

Created on ‎11-01-2023 09:15 PM

I left he debugs to run for some time and got this recurring pattern every 15mins

2023-11-02 14h14m57s00 Test Site IKE Debugs.jpg

1786
0 Kudos
srajeswaran
Staff
Staff
In response to slouw

Created on ‎10-31-2023 11:31 PM

You also need a policy from your LAN interface (where your local resources are connected ) to the VPN interface (pri_bms). Please create this policy and the reverse and then run the debug.

I also believe the Phase2 config is incomplete, for example I don't see the dhgroup, not sure if there is a default value.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1825
0 Kudos
slouw
Contributor
In response to srajeswaran

Created on ‎11-01-2023 07:16 PM

2023-11-02 07h52m22s03 Create LAN-WAN Policy.jpg

1802
0 Kudos
srajeswaran
Staff
Staff
In response to slouw

Created on ‎11-01-2023 10:06 PM

Please add policy from LAN to pri_bms not LAN to WAN.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

1781
slouw
Contributor

Created on ‎11-01-2023 07:20 PM

Please note the policy setting is yes for working control and no for my new install.
What is the significance?
This was taken after the LAN-WAN policy entry was made above

2023-11-02 07h40m12s99 diagnose vpn ike config list summary DELTA policy=No.jpg

1799
0 Kudos
fricci_FTNT
Staff
Staff
In response to slouw

Created on ‎11-02-2023 04:44 AM

Hi @slouw ,

Rearding your question:
>>What is the significance?
It means that there is no firewall policy from "LAN" to the IPsec interface "pri_bms". When that  firewall policy is missing the FortiGate does not attempt to bring up the tunnel, that is why you cannot see any packet in the packet capture or in the debug logs. Please create such firewall policy and retry to bring up the IPsec tunnel.

Please read the bottom of the article below:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-issue-with-diagnose-vpn-ik...

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
3769
slouw
Contributor

Created on ‎11-02-2023 02:08 PM

Eukerka!
We have debugs!!!!

Thanks to all who helped very grateful thank you.

Case closed

2023-11-03 07h05m03s05 Eureka!!!!!!!.jpg

1756
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.