DescriptionThis article describes how to troubleshoot the issue with traffic not flowing through an IPsec VPN tunnel which was previously working and when no changes have been made to the configuration.SolutionWhen an IPsec VPN tunnel is being established but traffic is not flowing through it, and no changes in FortiGate configuration have been made, then one has to perform packet captures of encapsulating security payload (ESP) packets (i.e. encrypted packets) between the VPN peers.ESP packets is dropped or blocked because of a firewall or routing issue somewhere in the path between the FortiGate's WAN interface and the remote VPN peer, which prevents VPN traffic from flowing properly.To determine whether the above issue is being encountered, run the following CLI command on the FortiGate to initiate a packet capture of ESP packets (protocol 50): # diagnose sniffer packet any "proto 50" 4 0 a
A similar packet capture needs to be performed on the other VPN peer unitif it is not a FortiGate.If bidirectional ESP traffic is not observed on any VPN peer unit, then the issue described above is occurring.The next step is to verify unit configuration and/or network topology with the ISPs providing WAN links to both VPN units and to ensure that ESP protocol 50 packets are not being blocked by ISP units on the WAN.
In most cases, this issue is intermittent and protocol 50 packets are found to be flowing after some time.Related Articles
Technical Note: Troubleshooting issue with traffic not flowing through previously working IPsec VPN ...
