Fortinet white logo
Fortinet white logo

FortiGate-6000 Release Notes

IPsec VPN load balancing troubleshooting

IPsec VPN load balancing troubleshooting

Use the following commands to verify that IPsec VPN sessions are up and running.

Use the diagnose load-balance status command from the primary FIM to determine the primary FPM. For FortiGate-7000 HA, run this command from the primary FortiGate-7000. The third line of the command output shows which FPM is operating as the primary FPM.

diagnose load-balance status
==========================================================================
Slot: 2  Module SN: FIM21FTB21000042
  Master FPM Blade: slot-3
 
     Slot  3: FPM20FTB21900053
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
     Slot  4: FPM20FTB21900065
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
 
==========================================================================
Current slot: 1  Module SN: FIM21FTB21000015
  Master FPM Blade: slot-3
 
     Slot  3: FPM20FTB21900053
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
     Slot  4: FPM20FTB21900065
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"

Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list name <phase2-name> to show the sessions for the phase 2 configuration. The command output shows the security association (SA) setup for this phase 2 and all of the destination subnets and the FPM this SA was assigned to.

From the command output, make sure the SA is installed and the dst addresses are correct. The IPsec LB line shows that the tunnel is terminated on FPM6.

CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2
list ipsec tunnel by names in vd 11
------------------------------------------------------
name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0
bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit 
proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0
ike_asssit_last_sent=4318202512
stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8
  src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0
  dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0
  SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80
  IPsec LB: esp_worker=FPM06 esp_assist_last_sent=4295272912
  life: type=01 bytes=0/0 timeout=43148/43200
  dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf
       ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7
  enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f
       ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a
  dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855
  npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1

Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2. The output should show matching destination subnets.

diagnose test application fctrlproxyd 2 fctrlproxyd route dump : 
 
7KF-CH10 [FIM01] (global) # diag test application fctrlproxyd 2
 
fcp IKE routes:
en:0 slot:01 vd:003 t_type:auto dst:4.3.1.0/24, p1-vlan91-a
en:0 slot:01 vd:004 t_type:auto dst:4.2.1.0/24, p1-vlan91-b
en:0 slot:01 vd:005 t_type:auto dst:4.12.5.0/24, FGT1_to_FGT2
en:0 slot:01 vd:005 t_type:auto dst:4.12.8.0/24, FGT1_to_FGT4
en:0 slot:01 vd:069 t_type:auto dst:34.1.4.0/24, p1_v3011
en:0 slot:01 vd:069 t_type:auto dst:34.1.8.0/24, p1_v3013v6
en:0 slot:01 vd:071 t_type:auto dst:34.3.4.0/24, p1_v3031
en:0 slot:01 vd:073 t_type:auto dst:34.4.4.0/24, p1_v3041
en:0 slot:01 vd:073 t_type:auto dst:34.4.9.0/24, p1_v3047
en:0 slot:01 vd:075 t_type:auto dst:34.5.0.52/32, p1_v3055
en:0 slot:01 vd:107 t_type:auto dst:181.1.0.0/16, qd_ag1
en:1 slot:03 vd:075 t_type:dialup dst:34.5.66.201/32, p1_v3056
en:1 slot:07 vd:075 t_type:auto dst:34.5.4.0/24, p1_v3051
en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.82/32, p1_v3058
en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.92/32, p1_v3059
 
Statistics:
FIM01 FIM02 FPM03 FPM04 FPM05 FPM06 FPM07 FPM08 FPM09 FPM10 FPM11 FPM12
   11     0     1     0     0     0     3     0     0     0     0     0
total active routes: 4
total inactive routes: 11

IPsec VPN load balancing troubleshooting

IPsec VPN load balancing troubleshooting

Use the following commands to verify that IPsec VPN sessions are up and running.

Use the diagnose load-balance status command from the primary FIM to determine the primary FPM. For FortiGate-7000 HA, run this command from the primary FortiGate-7000. The third line of the command output shows which FPM is operating as the primary FPM.

diagnose load-balance status
==========================================================================
Slot: 2  Module SN: FIM21FTB21000042
  Master FPM Blade: slot-3
 
     Slot  3: FPM20FTB21900053
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
     Slot  4: FPM20FTB21900065
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
 
==========================================================================
Current slot: 1  Module SN: FIM21FTB21000015
  Master FPM Blade: slot-3
 
     Slot  3: FPM20FTB21900053
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"
     Slot  4: FPM20FTB21900065
       Status:Working   Function:Active
       Link:      Base: Up          Fabric: Up
       Heartbeat: Management: Good   Data: Good
       Status Message:"Running"

Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list name <phase2-name> to show the sessions for the phase 2 configuration. The command output shows the security association (SA) setup for this phase 2 and all of the destination subnets and the FPM this SA was assigned to.

From the command output, make sure the SA is installed and the dst addresses are correct. The IPsec LB line shows that the tunnel is terminated on FPM6.

CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2
list ipsec tunnel by names in vd 11
------------------------------------------------------
name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0
bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit 
proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0
ike_asssit_last_sent=4318202512
stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8
  src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0
  dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0
  SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80
  IPsec LB: esp_worker=FPM06 esp_assist_last_sent=4295272912
  life: type=01 bytes=0/0 timeout=43148/43200
  dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf
       ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7
  enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f
       ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a
  dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855
  npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1

Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2. The output should show matching destination subnets.

diagnose test application fctrlproxyd 2 fctrlproxyd route dump : 
 
7KF-CH10 [FIM01] (global) # diag test application fctrlproxyd 2
 
fcp IKE routes:
en:0 slot:01 vd:003 t_type:auto dst:4.3.1.0/24, p1-vlan91-a
en:0 slot:01 vd:004 t_type:auto dst:4.2.1.0/24, p1-vlan91-b
en:0 slot:01 vd:005 t_type:auto dst:4.12.5.0/24, FGT1_to_FGT2
en:0 slot:01 vd:005 t_type:auto dst:4.12.8.0/24, FGT1_to_FGT4
en:0 slot:01 vd:069 t_type:auto dst:34.1.4.0/24, p1_v3011
en:0 slot:01 vd:069 t_type:auto dst:34.1.8.0/24, p1_v3013v6
en:0 slot:01 vd:071 t_type:auto dst:34.3.4.0/24, p1_v3031
en:0 slot:01 vd:073 t_type:auto dst:34.4.4.0/24, p1_v3041
en:0 slot:01 vd:073 t_type:auto dst:34.4.9.0/24, p1_v3047
en:0 slot:01 vd:075 t_type:auto dst:34.5.0.52/32, p1_v3055
en:0 slot:01 vd:107 t_type:auto dst:181.1.0.0/16, qd_ag1
en:1 slot:03 vd:075 t_type:dialup dst:34.5.66.201/32, p1_v3056
en:1 slot:07 vd:075 t_type:auto dst:34.5.4.0/24, p1_v3051
en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.82/32, p1_v3058
en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.92/32, p1_v3059
 
Statistics:
FIM01 FIM02 FPM03 FPM04 FPM05 FPM06 FPM07 FPM08 FPM09 FPM10 FPM11 FPM12
   11     0     1     0     0     0     3     0     0     0     0     0
total active routes: 4
total inactive routes: 11