Description
This article describes how to troubleshoot an issue where traffic does not flow through an IPsec VPN tunnel that was previously working, despite how no changes were made to the configuration.
Scope
IPsec VPN tunnels with FortiGate.
Solution
When an already established IPsec VPN tunnel does not allow traffic flow, despite how no changes to the FortiGate configuration have been made since it last worked, begin troubleshooting by performing packet captures of encapsulating security payload (ESP) packets (encrypted packets) between the VPN peers.
ESP packets may be dropped or blocked because of a firewall or routing issue somewhere in the path between the FortiGate's WAN interface and the remote VPN peer, which would prevent VPN traffic from flowing properly.
To determine whether the above issue is being encountered, run the following CLI command on the FortiGate device to initiate a packet capture of ESP packets (protocol 50):
# diagnose sniffer packet any "proto 50" 6 0 l
If there are several IPsec tunnels configured on the Fortigate, apply the filter precisely and accordingly.
# diagnose sniffer packet any "proto 50 and host <local_WAN_IP> and <remote_WAN_IP>" 6 0 l
A similar packet capture must be performed on the other VPN peer device if it is not a FortiGate device.
If bidirectional ESP traffic is not observed on any VPN peer device or ESP sequence numbers are missing, the issue described above is occurring.
As the next step, verify device configuration and/or network topology with the ISPs by providing WAN links to both VPN devices. This will also ensure that ESP protocol 50 packets are not being blocked by ISP devices on the WAN.
If the cause of the issue cannot be identified as any of the above, contact the TAC team for additional support and provide the information obtained through these troubleshooting steps.
