Technical Tip: Active Directory Server as an external connector Down Over IPsec VPN

External Connector down over the IPsec VPN both ends FortiGate Firewall: 

Step 1: Verify the LDAP server connectivity, if the LDAP connectivity is reachable, still the external connector is showing down.

Step 2: Take below debug log below with a particular destination port or default port 445.
 

diagnose sniffer packet any " port 445 " 4 0 a 

Take the packet capture towards the AD server initiate a connection, and see with which source IP traffic is going out. If the source IP is taking a different mentioned the correct source IP address on the external connector on the CLI.

config user fsso-polling

    set status enable
    set server “x.x.x.x  -> x.x.x.x is as LDAP Server IP.
    set default-domain
    set src-ip y.y.y.y -> y.y.y.y is a source IP address of traffic out towards the AD server.
end

      Or:

 config system interface

    edit x.x.x  -> x.x.x IPec tunnel interface name.

        set IP with source IP address 
        set remote IP y.y.y.y  -> y.y.y.y is a Remote IP address of local Subnet.

Then try to connect the External Connector, it will work.

If the issue still persists, follow the below troubleshooting steps on both sides.

1. Take sniffer on both ends with default port 445 ---> dia sniffer.
2. Observing on the remote firewall with the below debug logs.

diag debug reset 
diag debug flow show function-name enable
diag debug flow filter dport 445
diag debug flow filter proto 1
diag debug flow trace start 100

diag debug enable

Check any error like 'Denied by forward policy check (policy 0)'.

Verify the Policy for IPsec tunnel from IPsec to LAN/LAN to IPsec. Check on both Inbound/Outbound Policy.
 

Src IP address of outgoing traffic is added or not, once added on the Policy, then the external connector will work fine.
  
Example: src IP 40.40.40.4 is outgoing traffic, so once added to the IPsec tunnel Policy:

Now, try to connect again from an external connector, and it will work.