Fortigate VPN troubleshooting

25th February 2020

If you are troubleshooting a Fortinet VPN here are a few tips.

Network, Packet capture will allow you to capture data on a VPN tunnel interface. This can be used to confirm that ping packets are being sent over the tunnel and it states explicitly that ping responses didn’t return.

Start a Putty session to the Fortigate and run the following commands to produce a diagnostic output. Recommend enabling putty is logging so you can search back in time.

diag de en

  • in Fortigate Web Gui click Monitor, IPsec monitor, Bring the tunnel selectors UP.
  • Now you will see some output on the CLI, attach the output to a Fortinet support ticket.
  • from the Fortigate console execute ping 10.x.x.x

di de dis

IF you have multiple VPN’s i recommend adding a filter to avoid confusion

diag debug reset
diag de app ike -1
diag vpn ike log filter clear
diag vpn ike log filter dst-addr4 (public addr of remote VPN)
diag debug enable

If you are debugging a Remote Dial VPN you can filter by name?
dia deb disable
dia deb reset
dia vpn ike gateway clear
dia vpn ike log filter name *VPN NAME*
diag vpn ike log-filter dst-addr4
dia deb app ike -1
dia deb enable

Troubleshooting Dialup VPN:

Upgrade client; have seen Forticlient 6.0 unable to get to subnets that worked correctly when upgraded to Forticlient 6.2

In order to uninstall Forticlient you may need to unlock in the client then shutdown via the tray icon, before you get the option to uninstall in add/remove programs.

Increase you putty session lifetime
set system session_ttl port 22 timeout 3600