Having trouble with 2 out of 6 ipsec tunnels, all were working previously. Continues from my previous post debugging ipsec with nat traversal. I have seen enmoc' s blog post on debugging and tried to work through it. Comment - at each step, what does a good result look like? We have a central FGT60C connecting via nat-t ipsec to 6 FGT60C remotes. The tunnels are interface based / routed and running ospf. All remote sites connect via 3G (the tunnel is our backup path to the remote sites; the 3G router is the NAT device). All tunnels are configured from the same template. We previously had an error with the NAT configuration which has been rectified at all remote sites (link above). The central unit failed recently and was replaced. All 6 tunnels came back up. Subsequently 3 tunnels failed and have been continuously attempting to establish. One tunnel came up two nights ago and has been up since. I don' t know any event to explain why it came up. So we currently have 4 tunnels up and 2 tunnels down. - configurations checked, - PSK re-entered anyway (no reason to suspect this is the problem), - confirmed traffic sent and received on UDP:500 and UDP:4500 both ends, - establishment traffic is constant (approx 1kbps in both directions for each of the down tunnels), - packet capture shows most of the traffic is UDP:500 but there is some UDP:4500, - diag vpn ike gateway list shows both tunnels with approx zero age, - syslog shows that both tunnels do occasionally come up for 20 seconds at a time, at random intervals between 2 - 15 minutes apart - diag debug app ike -1 shows a message being sent from remote:500 to central:4500. This was not allowed in the NAT router config. I have now allowed this traffic. Each attempt to establish the tunnel includes the following traffic.
wan2 -- central.4500 -> remote.4500: udp 112This exchange lasts for 20 seconds and corresponds to the tunnel up syslog. Debug at both ends of a tunnel shows identical traffic (nothing is blocked anywhere). The central unit begins the exchange on 4500 but never replies again. I guess the fact that the central never relpies on 4500 is important? The remote tries 4500 > 500 which also seems odd. What should be my next step to fault find this issue, any suggestions please?
wan2 -- remote.4500 -> central.4500: udp 80
wan2 -- remote.4500 -> central.4500: udp 304
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.4500: udp 304
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.4500: udp 96
wan2 -- remote.4500 -> central.4500: udp 304
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.4500: udp 96
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.4500: udp 304
wan2 -- remote.4500 -> central.4500: udp 96
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.500: udp 148
wan2 -- remote.4500 -> central.4500: udp 96
diagnose sniffer packet interface ' filter' [[[verbosity] count] a]The last three parameters are optional but must be present in order if desired. A count of 0 means " sniffing continuously (ctrl C interrupts)" - this is the default.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.