FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 225700
Description This article describes how to troubleshoot PPPoE connection failure when FortiGate is configured as the PPPoE client.
Scope FortiGate.
  1. Verify that the username and password are correctly configured.
  2. If the PPPoE interface is correctly configured, it would be required to capture the following information from FortiGate:

diag netlink interface list <pppoe>


diag debug reset

diag debug disable

diag debug app pppoed -1

diag debug enable


To stop:


diag debug disable


  1. It is also recommended to perform packet capture on the PPPoE interface:

diag sniffer packet <pppoe> '' 6 0 a


  1. Verify if PPPoE negotiation is successful:


Client to server: Initiation (PADI) -> Server to client: Offer (PADO) -> Client to server: request (PADR) -> Server to client: session confirmation (PADS).


PPPoE consists of two phases:

  • Active Discovery Phase.
  • PPP Session Phase.


Active Discovery Phase:

  1. The client sends a broadcast Initiation (PADI).
  2. The server responds with unicast Offer (PADO).
  3. The client sends a unicast Request (PADR).
  4. The server responds with a unicast Session (PADS).


PPP Session Phase:

  1. Link Control Protocol (LCP).
  2. PPP Authentication (PAP / CHAP).
  3. Network Control Protocol (NCP) -> IPCP.


A graphical representation would look like this:


2024-03-29 14 43 37.jpg


To capture packets at each stage, simply use the sniffer below:


diag sniff packet <interface name> "ether proto 0x8863" 6 0 a <----- Discovery Stage.
diag sniff packet <interface name> "ether proto 0x8864" 6 0 a
<----- Session Stage.

For the Discovery stage, a sample packet capture might look like this:


Untitled picture2.png


For the Session stage, a sample packet capture might look like this:


Untitled picture3.png


If the transaction is valid, it will be possible to see the transactional information in the Wireshark:





If there is only broadcast (PADI) information noticed, it may be due to incorrect physical wiring or the ISP router not responding to the request.


To help isolate the issue,  use the Windows machine to determine if it does not respond to broadcast. Similar to the image below.


Untitled picture.png


In these cases, it is required to check on the physical layer and/or logs on the ISP router to see if it received the broadcast packet and responded accordingly.


PPPoE connection failure when FortiGate is configured as the PPPoE client not working in the HA cluster


If issues are faced with FortiGate as a PPPoE client not working in a High Availability (HA) cluster with the default group ID 0, refer to the following articles for steps to resolve the problem:

Technical Tip: Troubleshooting PPPoE connection failed

Technical Tip: HA Cluster virtual MAC addresses


In the HA cluster with default HA group ID 0, it is recommended to change the HA cluster default group ID 0. The default HA MAC (group 0) is the source of the problem.
The reason the PPPoE server does not respond properly to the default HA MAC address is because if several HA cluster are on same broadcast domain with default HA group ID 0, they generate the same virtual MAC address.


Formula: 00-09-0f-09-<group-id_hex>-<vcluster_integer><idx>. Where <group-id_hex> is the HA group ID for the cluster converted to hexadecimal.


Related articles:

Technical Tip: pppoe-interface configuration.

Technical Tip: How to import 'diagnose sniffer packet' data to WireShark.