Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate-7000E Handbook

    Home FortiGate-7000 7.0.15 FortiGate-7000E Handbook
    7.0.15
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.10
    7.0.5
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.10
    6.4.8
    6.4.6
    6.4.2
    6.2.16
    6.2.16
    6.2.15
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.7
    6.2.6
    6.2.4
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    6.0.13
    6.0.12

    Troubleshooting

    Troubleshooting

    Use the following commands to verify that IPsec VPN sessions are up and running.

    Use the diagnose load-balance status command from the primary FIM interface module to determine the primary FPM. For FortiGate 7000E HA, run this command from the primary FortiGate 7000E. The third line of the command output shows which FPM is operating as the primary FPM.

    diagnose load-balance status 
  FIM01: FIM04E3E16000074
  Primary FPM Blade: slot-4

     Slot  3: FPM20E3E17900113
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPM20E3E16800033
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

  FIM02: FIM10E3E16000040
  Primary FPM Blade: slot-4

     Slot  3: FPM20E3E17900113
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPM20E3E16800033
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

    Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list <phase2-name> to show the sessions for the phase 2 configuration. The example below is for the to-fgt2 phase 2 configuration configured previously in this chapter. The command output shows the security association (SA) setup for this phase 2 and the all of the destination subnets .

    From the command output, make sure the SA is installed and the dst addresses are correct.

    CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2
list ipsec tunnel by names in vd 11
------------------------------------------------------
name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0
bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit 
proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0
ike_asssit_last_sent=4318202512
stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8
  src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0
  dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80
  life: type=01 bytes=0/0 timeout=43148/43200
  dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf
       ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7
  enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f
       ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a
  dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855
  npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1

    Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2. The output should show matching destination subnets.

    diagnose test application fctrlproxyd 2 

fcp route dump : last_update_time 24107 

Slot:4
	routecache entry: (5)
	checksum:27 AE 00 EA 10 8D 22 0C D6 48 AB 2E 7E 83 9D 24 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.3.0 mask:255.255.255.0 enable:1 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.4.0 mask:255.255.255.0 enable:1 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.5.0 mask:255.255.255.0 enable:1 
	=========================================

    Previous
    Next

    Troubleshooting

    Troubleshooting

    Use the following commands to verify that IPsec VPN sessions are up and running.

    Use the diagnose load-balance status command from the primary FIM interface module to determine the primary FPM. For FortiGate 7000E HA, run this command from the primary FortiGate 7000E. The third line of the command output shows which FPM is operating as the primary FPM.

    diagnose load-balance status 
  FIM01: FIM04E3E16000074
  Primary FPM Blade: slot-4

     Slot  3: FPM20E3E17900113
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPM20E3E16800033
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

  FIM02: FIM10E3E16000040
  Primary FPM Blade: slot-4

     Slot  3: FPM20E3E17900113
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPM20E3E16800033
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

    Log into the primary FPM CLI and from here log into the VDOM that you added the tunnel configuration to and run the command diagnose vpn tunnel list <phase2-name> to show the sessions for the phase 2 configuration. The example below is for the to-fgt2 phase 2 configuration configured previously in this chapter. The command output shows the security association (SA) setup for this phase 2 and the all of the destination subnets .

    From the command output, make sure the SA is installed and the dst addresses are correct.

    CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2
list ipsec tunnel by names in vd 11
------------------------------------------------------
name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0
bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu ike_assit 
proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0
ike_asssit_last_sent=4318202512
stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8
  src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0
  dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0 0:4.2.5.0/255.255.255.0:0SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048 seqno=4a26f esn=0 replaywin_lastseq=00045e80
  life: type=01 bytes=0/0 timeout=43148/43200
  dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf
       ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7
  enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f
       ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a
  dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855
  npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_npuid=1

    Log into the CLI of any of the FIMs and run the command diagnose test application fctrlproxyd 2. The output should show matching destination subnets.

    diagnose test application fctrlproxyd 2 

fcp route dump : last_update_time 24107 

Slot:4
	routecache entry: (5)
	checksum:27 AE 00 EA 10 8D 22 0C D6 48 AB 2E 7E 83 9D 24 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.3.0 mask:255.255.255.0 enable:1 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.4.0 mask:255.255.255.0 enable:1 
	vd:3 p1:to-fgt2 p2:to-fgt2 subnet:4.2.5.0 mask:255.255.255.0 enable:1 
	=========================================

    Previous
    Next