FortiGate IPsec VPN Troubleshooting Runbook

📌 Overview

This guide provides a structured approach to troubleshooting IPsec VPN issues on FortiGate, especially intermittent tunnel problems where logs alone are insufficient.

⚠️ Important: Debugs must be captured during the issue occurrence. Logs after the event are often useless.

🧭 Step 1: Baseline Checks

Run these commands before enabling debug:

get vpn ipsec tunnel summary
diagnose vpn tunnel list

What to Check

  • Tunnel status (up/down)
  • Phase1 / Phase2 state
  • Packet counters (increasing or stuck)

🧪 Step 2: Enable IKE Debug

diagnose debug console timestamp enable
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 <REMOTE-GATEWAY-IP>
diagnose debug application ike -1
diagnose debug enable

Notes

  • Replace <REMOTE-GATEWAY-IP> with the actual peer IP
  • -1 enables maximum verbosity
  • Filtering prevents log flooding

🚨 Step 3: Reproduce the Issue

Debug without traffic is useless.

Trigger traffic manually:

execute ping <REMOTE-SUBNET-IP>

Or:

  • Restart the tunnel
  • Initiate application traffic

🛑 Step 4: Stop Debug Immediately

diagnose debug reset
diagnose debug disable

⚠️ Do not leave debug running. It can spike CPU and flood logs.

🔎 Step 5: Analyze Debug Output

Phase 1 Errors

Common messages:

  • no proposal chosen
  • authentication failed
  • peer not responding

Possible causes:

  • Encryption or authentication mismatch
  • Wrong pre-shared key (PSK)
  • Peer unreachable

Phase 2 Errors

Common messages:

  • proxy id mismatch
  • quick mode failed

Possible causes:

  • Subnet mismatch
  • Incorrect Phase2 selectors

Intermittent Issues

Common messages:

  • retransmit
  • timeout
  • delete SA

Possible causes:

  • ISP instability
  • NAT-T issues
  • Dead Peer Detection (DPD) problems

🧰 Step 6: Additional Diagnostic Commands

IKE Gateway Status

diagnose vpn ike gateway list

Phase 1 Configuration

show vpn ipsec phase1-interface

Phase 2 Configuration

show vpn ipsec phase2-interface

Routing Table Check

get router info routing-table all

Firewall Policy Lookup

diagnose firewall iprope lookup <SRC-IP> <DST-IP> <PORT> <PROTOCOL>

⚠️ Common Mistakes

  • Running debug after the issue is gone
  • Not generating traffic during debug
  • Forgetting to filter logs
  • Leaving debug running too long

🧠 Best Practice Workflow

  1. Identify the issue occurrence
  2. Enable debug immediately
  3. Generate traffic
  4. Capture full debug output
  5. Run baseline and diagnostic commands
  6. Stop debug
  7. Provide complete data to TAC

📎 Data to Provide to TAC

  • Full IKE debug output
  • Output of:
    • diagnose vpn tunnel list
    • diagnose vpn ike gateway list
  • Timestamp of issue
  • Affected tunnel name
  • Description of behavior

🧾 Summary

Effective VPN troubleshooting on FortiGate depends on:

  • Timing: capture the issue live
  • Proper debug filtering
  • Correlating logs with configuration and traffic

Without these, root cause analysis becomes guesswork.