Troubleshooting
Use the following commands to verify that IPsec VPN sessions are up and running.
Use the diagnose load-balance status
command from the primary FIM interface module to determine the primary FPM. For FortiGate-7000E HA, run this command from the primary FortiGate-7000E. The third line of the command output shows which FPM is operating as the primary FPM.
diagnose load-balance status FIM01: FIM04E3E16000074 Master FPM Blade: slot-4 Slot 3: FPM20E3E17900113 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPM20E3E16800033 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" FIM02: FIM10E3E16000040 Master FPM Blade: slot-4 Slot 3: FPM20E3E17900113 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPM20E3E16800033 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running"
Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list <phase2-name>
to show the sessions for the phase 2 configuration. The example below is for the to-fgt2
phase 2 configuration configured previously in this chapter. The command output shows the security association (SA) setup for this phase 2 and the all of the destination subnets .
From the command output, make sure the SA is installed and the dst
addresses are correct.
CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2 list ipsec tunnel by names in vd 11 ------------------------------------------------------ name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0 bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0 ike_asssit_last_sent=4318202512 stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8 src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0 dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80 life: type=01 bytes=0/0 timeout=43148/43200 dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7 enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855 npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1
Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2
. The output should show matching destination subnets.
diagnose test application fctrlproxyd 2 fcp route dump : last_update_time 24107 Slot:4 routecache entry: (5) checksum:27 AE 00 EA 10 8D 22 0C D6 48 AB 2E 7E 83 9D 24 vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.3.0 mask:255.255.255.0 enable:1 vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.4.0 mask:255.255.255.0 enable:1 vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.5.0 mask:255.255.255.0 enable:1 =========================================