Troubleshooting
Use the following commands to verify that IPsec VPN sessions are up and running.
Use the diagnose load-balance status
command from the primary FIM to determine the primary FPM. For FortiGate-7000 HA, run this command from the primary FortiGate-7000. The third line of the command output shows which FPM is operating as the primary FPM.
diagnose load-balance status ========================================================================== Slot: 2 Module SN: FIM21FTB21000042 Master FPM Blade: slot-3 Slot 3: FPM20FTB21900053 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPM20FTB21900065 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" ========================================================================== Current slot: 1 Module SN: FIM21FTB21000015 Master FPM Blade: slot-3 Slot 3: FPM20FTB21900053 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPM20FTB21900065 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running"
Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list name <phase2-name>
to show the sessions for the phase 2 configuration. The command output shows the security association (SA) setup for this phase 2 and all of the destination subnets and the FPM this SA was assigned to.
From the command output, make sure the SA is installed and the dst
addresses are correct. The IPsec LB
line shows that the tunnel is terminated on FPM6.
CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2 list ipsec tunnel by names in vd 11 ------------------------------------------------------ name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0 bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0 ike_asssit_last_sent=4318202512 stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8 src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0 dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0 SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80 IPsec LB: esp_worker=FPM06 esp_assist_last_sent=4295272912 life: type=01 bytes=0/0 timeout=43148/43200 dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7 enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855 npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1
Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2
. The output should show matching destination subnets.
diagnose test application fctrlproxyd 2 fctrlproxyd route dump : 7KF-CH10 [FIM01] (global) # diag test application fctrlproxyd 2 fcp IKE routes: en:0 slot:01 vd:003 t_type:auto dst:4.3.1.0/24, p1-vlan91-a en:0 slot:01 vd:004 t_type:auto dst:4.2.1.0/24, p1-vlan91-b en:0 slot:01 vd:005 t_type:auto dst:4.12.5.0/24, FGT1_to_FGT2 en:0 slot:01 vd:005 t_type:auto dst:4.12.8.0/24, FGT1_to_FGT4 en:0 slot:01 vd:069 t_type:auto dst:34.1.4.0/24, p1_v3011 en:0 slot:01 vd:069 t_type:auto dst:34.1.8.0/24, p1_v3013v6 en:0 slot:01 vd:071 t_type:auto dst:34.3.4.0/24, p1_v3031 en:0 slot:01 vd:073 t_type:auto dst:34.4.4.0/24, p1_v3041 en:0 slot:01 vd:073 t_type:auto dst:34.4.9.0/24, p1_v3047 en:0 slot:01 vd:075 t_type:auto dst:34.5.0.52/32, p1_v3055 en:0 slot:01 vd:107 t_type:auto dst:181.1.0.0/16, qd_ag1 en:1 slot:03 vd:075 t_type:dialup dst:34.5.66.201/32, p1_v3056 en:1 slot:07 vd:075 t_type:auto dst:34.5.4.0/24, p1_v3051 en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.82/32, p1_v3058 en:1 slot:07 vd:075 t_type:dialup dst:34.5.0.92/32, p1_v3059 Statistics: FIM01 FIM02 FPM03 FPM04 FPM05 FPM06 FPM07 FPM08 FPM09 FPM10 FPM11 FPM12 11 0 1 0 0 0 3 0 0 0 0 0 total active routes: 4 total inactive routes: 11