In this scenario, the below topology will be used. Both FortiGates are running the 7.2.5 version:
For using a link monitor, the remote site of the VPN will be monitored via ping. In this case, it is possible to select the remote FortiGate-B remote network reachable via the tunnel (192.168.20.0/24) and monitor the FortiGate-B LAN interface itself (192.168.20.1 with PING enabled) or even an internal server, but the device should be reliable in order to not create false positives due to power failures, reloads, etc.
In this scenario, monitor the FortiGate-B LAN IP (192.168.20.1), creating a link monitor as below:
config system link-monitor
edit "Link_Monitor_VPN"
set server "192.168.20.1"
set source-ip 192.168.10.1
set update-cascade-interface disable
set update-static-route disable
set update-policy-route disable
next
end
Then, every time the mentioned link monitor fails, the 'Link Monitor status warning' will be received in the General System Event logs, as below:
Use the above-mentioned event and then, create an automation stitch trigger to use the above events to collect data, send emails, or even flush the tunnel.
- Configure an automation stitch trigger as below, in order for the 'Link Monitor status warning' of the 'Link_Monitor_VPN' monitor to be a trigger and create the event:
config system automation-trigger
edit "Link Monitor IPSEC Trigger"
set description <----- Default automation triggers configuration for when a network connection goes down.
set event-type event-log
set logid 22932
config fields
edit 1
set name "name"
set value "Link_Monitor_VPN"
next
end
next
end
- Create also the automation stitch action to collect the IPSEC debugs and send the email or another one to flush the tunnel itself as a last resort.
Action to collect the IKE debugs:
config system automation-action
edit "GET VPN"
set action-type cli-script
set script "get vpn ike gateway
get vpn ipsec tunnel details
get vpn ipsec tunnel name VPN_Test
diagnose vpn tunnel list
diagnose vpn tunnel list name VPN_Test
diagnose vpn ike crypto
next
end"
set accprofile "super_admin"
next
end
Action to send the email with the above-mentioned results:
config system automation-action
edit "Link monitor IPSEC notification"
set description <----- Default automation action configuration for sending an email with basic information on the log event.
set action-type email
set email-to "email@email.com"
set email-subject "%%log.logdesc%%"
set message "%%results%%"
next
end
As a last resort, create the stitch to flush the tunnel:
config system automation-action
edit "Flush_tunnel"
set action-type cli-script
set script "diagnose vpn tunnel flush NAME_VPN"
set accprofile "super_admin"
next
end
- Then, finalize the automation stitch(es) configuration, integrating the triggers and actions, using the below commands:
To create the stitch to collect the IKE debugs and send them via email:
config system automation-stitch
edit "Link Monitor IPSEC"
set trigger "Link Monitor IPSEC Trigger"
config actions
edit 1
set action "GET VPN"
set required enable
next
edit 2
set action "Link monitor IPSEC notification"
set delay 10
set required enable
next
end
next
end
To create a stitch to flush the tunnel when the situation happens:
config system automation-stitch
edit "Tunnel_Flush_Stitch"
set trigger "Link Monitor IPSEC Trigger"
config actions
edit 1
set action "Flush_tunnel"
set required enable
next
end
next
end
In the first situation, an email will be received as below, containing the necessary debugs to troubleshoot the issue:
The second situation would 'bounce' the tunnel, which resolves the issue momentarily.
|
