Troubleshooting
IPsec VPN
FIM02: FIM10E3E16000040
Master FPM Blade: slot-4
Slot
3: FPM20E3E17900113
Status:Working
Function:Active
Link:
Base: Up
Fabric: Up
Heartbeat: Management: Good
Data: Good
Status Message:"Running"
Slot
4: FPM20E3E16800033
Status:Working
Function:Active
Link:
Base: Up
Fabric: Up
Heartbeat: Management: Good
Data: Good
Status Message:"Running"
Log into the primary FPM CLI and run the command diagnose vpn tunnel list <phase2> to show the sessions for
the phase 2 configuration. The example below is for the
to-fgt2
phase 2 configuration configured previously in
this chapter. The command output shows the security association (SA) setup for this phase 2 and the all of the
destination subnets .
Make sure the SA is installed (In blue color). And the “dst” are correct (in red color).
CH15 [FPM04] (002ipsecvpn) # diagnose vpn tunnel list name to-fgt2
list ipsec tunnel by names in vd 11
------------------------------------------------------
name=to-fgt2 ver=1 serial=2 4.2.0.1:0->4.2.0.2:0
bound_if=199 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/40 options[0028]=npu
ike_assit
proxyid_num=1 child_num=0 refcnt=8581 ilast=0 olast=0 auto-discovery=0
ike_asssit_last_sent=4318202512
stat: rxp=142020528 txp=147843214 rxb=16537003048 txb=11392723577
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=2
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to-fgt2 proto=0 sa=1 ref=8560 serial=8
src: 0:4.2.1.0/255.255.255.0:0 0:4.2.2.0/255.255.255.0:0
dst: 0:4.2.3.0/255.255.255.0:0 0:4.2.4.0/255.255.255.0:0
0:4.2.5.0/255.255.255.0:0
SA: ref=7 options=22e type=00 soft=0 mtu=9134 expire=42819/0B replaywin=2048
seqno=4a26f esn=0 replaywin_lastseq=00045e80
life: type=01 bytes=0/0 timeout=43148/43200
dec: spi=e89caf36 esp=aes key=16 26aa75c19207d423d14fd6fef2de3bcf
ah=sha1 key=20 7d1a330af33fa914c45b80c1c96eafaf2d263ce7
enc: spi=b721b907 esp=aes key=16 acb75d21c74eabc58f52ba96ee95587f
ah=sha1 key=20 41120083d27eb1d3c5c5e464d0a36f27b78a0f5a
dec:pkts/bytes=286338/40910978, enc:pkts/bytes=562327/62082855
npu_flag=03 npu_rgwy=4.2.0.2 npu_lgwy=4.2.0.1 npu_selid=b dec_npuid=3 enc_
npuid=1
Log into the CLI of any of the FIM modules and run the command
diagnose test application
fctrlproxyd 2
. The output should show matching destination subnets.
55
FortiGate-7000
Fortinet Technologies Inc.