Bear in mind that the troubleshooting suggestions below are notĮxhaustive, and may not reflect your network topology. The following is a list of such potential issues. This command will inform you of any lack of firewall policy, lack of forwarding route, and of policy ordering issues. This kind of information in the resulting output can make all the difference in determining the issue with the VPN.Īnother appropriate diagnostic command worth trying is:
This command is very useful for gathering statistical data such as the number of packets encrypted versus decrypted, the number of bytes sent versus received, the SPI identifier, etc. The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following: Otherwise, use the IP address of the first interface from the interface list (that has an IP address). If the egress/outgoing interface (determined by kernel route) has an IP address, then use the IP address of the egress/outgoing interface. Anything sourced from the FortiGate going over the VPN will use this IP address. In this scenario, you must assign an IP address to the virtual IPSEC VPN interface. On some FortiGate units, such as the FortiGate 94D, you cannot ping over the IPsec tunnel without first setting a source-IP. If you can determine the connection is working properly then any problems are likely problems with your applications. When a VPN connection is properly established, traffic will flow from one end to the other as if both ends were physically in the same place. Otherwise, you will need to work back through the stages to see where the problem is located. It is easiest to see if the final stage is successful first since if it is successful the other stages will be working properly. This section contains tips to help you with some common challenges of IPsec VPNs.Ī VPN connection has multiple stages that can be confirmed to ensure the connection is working properly. Set vpn-stats-log ipsec ssl set vpn-stats-period 300 To allow VPN tunnel-stats to be sent to FortiAnalyzer, configure the FortiGate unit as follows using the CLI: The FortiGate does not, by default, send tunnel-stats information. More accurate results require logs with action=tunnel- stats, which is used in generating reports on the FortiAnalyzer (rather than the tunnel-up and tunnel-down event logs). Other events, by default, will appear in the FortiAnalyzer report as “No Data Available”. S e nd i n g tunnel statistics to FortiAnalyzerīy default, logged events include tunnel-up and tunnel-down status events. Verify that the VP N activity event option is selected. For information about how to interpret log messages, see the FortiGate Log Message Reference.Ģ. For IPsec VPNs, Phase 1 and Phase 2 authentication and encryption events are logged. You can configure the FortiGate unit to log VPN events.
0 kommentar(er)
