Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff

Created on ‎09-21-2023 06:18 AM Edited on ‎09-21-2023 11:19 AM By Staff

Article Id 275063

Technical Tip: Debugs shows no result while capturing IPSec tunnel traffic

Description This article describes the case when FortiGate is not displaying any traffic in debug while troubleshooting IPSec tunnel traffic.
Scope FortiOS.
Solution

There are some scenarios where debugging the IPSec tunnel traffic between the sites is needed to narrow down the root cause of the issue or to verify what paths or policies is the traffic using for this communication.

 

When trying to debug this traffic on FortiGate there will be no traffic seen in the debug even after the traffic flow is successful between the sites.

 

The reason for this behavior is because of FortiGate offloads that IPSEC traffic through NPU.

 

To debug this traffic, disable the auto-asic offload in the firewall policies associated with the tunnel interface to allow traffic.

 

config firewall policy

    edit 23 

    sh full | grep auto-asic
        set auto-asic-offload disable --default is enabled 

end

 

vpn 3.PNG

 

Here, policy ID 23 will be from the VPN interface to the LAN. Disable auto-asic in both policies from VPN interface to LAN and LAN interface to VPN interface to see the entire bidirectional flow of the traffic.

 

vpn 1.PNG
252
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.