Troubleshooting OCVPN

This document includes troubleshooting steps for the following OCVPN network topologies:

  • Full mesh OCVPN.
  • Hub-spoke OCVPN with ADVPN shortcut.
  • Hub-spoke OCVPN with inter-overlay source NAT.

For OCVPN configurations in other network topologies, see the other OCVPN topics.

Troubleshooting full mesh network topology

  • Branch_1 # diagnose vpn ocvpn status
    Current State        : Registered
    Topology             : Full-Mesh
    Role                 : Spoke
    Server Status        : Up
    Registration time    : Thu Feb 28 18:42:25 2019
    Update time          : Thu Feb 28 15:57:18 2019
    Poll time            : Fri Mar  1 15:02:28 2019
  • Branch_1 # diagnose vpn ocvpn show-meta
    Topology :: auto
    License  :: full
    Members  :: 3
    Max-free :: 3
  • Branch_1 # diagnose vpn ocvpn show-overlays
    QA
    PM
  • Branch_1 # diagnose vpn ocvpn show-members
    Member: { "SN": "FG100D3G15801621", "IPv4": "172.16.200.1", "port": "500", "slot": 1000, "overlay": [ { "id": 0, "name": "QA", "subnets": [ "10.1.100.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" }, { "id": 1, "name": "PM", "subnets": [ "10.2.100.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "FortiGate-100D", "topology_role": "spoke" } 
    Member: { "SN": "FG900D3915800083", "IPv4": "172.16.200.4", "port": "500", "slot": 1001, "overlay": [ { "id": 0, "name": "QA", "subnets": [ "172.16.101.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" }, { "id": 1, "name": "PM", "subnets": [ "172.16.102.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "Branch3", "topology_role": "spoke" } 
    Member: { "SN": "FGT51E3U16001314", "IPv4": "172.16.200.199", "port": "500", "slot": 1002, "overlay": [ { "id": 0, "name": "QA", "subnets": [ "192.168.4.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" }, { "id": 1, "name": "PM", "subnets": [ "192.168.5.0\/255.255.255.0" ], "ip_range": "0.0.0.0-0.0.0.0" } ], "Name": "Branch2", "topology_role": "spoke" }  
  • Branch_1 # diagnose vpn tunnel list
    list all ipsec tunnel in vd 0
    ------------------------------------------------------
    name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500
    bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc  accept_traffic=1
    
    proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0
    stat: rxp=0 txp=7 rxb=0 txb=588
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate
      src: 0:10.1.100.0-10.1.100.255:0
      dst: 0:192.168.4.0-192.168.4.255:0
      SA:  ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048
           seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
      life: type=01 bytes=0/0 timeout=42931/43200
      dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b
           ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105
      enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0
           ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214
      dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064
    proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate
      src: 0:10.1.100.0/255.255.255.0:0
      dst: 0:0.0.0.0/0.0.0.0:0
    ------------------------------------------------------
    name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500
    bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc  accept_traffic=1
    
    proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0
    stat: rxp=0 txp=0 rxb=0 txb=0
    dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
    natt: mode=none draft=0 interval=0 remote_port=0
    proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate
      src: 0:10.1.100.0-10.1.100.255:0
      dst: 0:172.16.101.0-172.16.101.255:0
      SA:  ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048
           seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
      life: type=01 bytes=0/0 timeout=42931/43200
      dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1
           ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192
      enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999
           ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f
      dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
    proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate
      src: 0:10.1.1