OCVPN troubleshooting
This document includes troubleshooting steps for the following OCVPN network topologies:
- Full mesh. l Hub-spoke with ADVPN shortcut. l Hub-spoke with inter-overlay source NAT.
For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.
Full mesh network topology troubleshooting
- Branch_1 # diagnose vpn ocvpn status
| Current State | : Registered |
| Topology | : Full-Mesh |
| Role | : Spoke |
| Server Status | : Up |
| Registration time | : Thu Feb 28 18:42:25 2019 |
| Update time | : Thu Feb 28 15:57:18 2019 |
| Poll time | : Fri Mar 1 15:02:28 2019 |
- Branch_1 # diagnose vpn ocvpn show-meta
Topology :: auto
License :: full
Members :: 3
Max-free :: 3
- Branch_1 # diagnose vpn ocvpn show-overlays
QA
PM l Branch_1 # diagnose vpn ocvpn show-members
Member: { “SN”: “FG100D3G15801621”, “IPv4”: “172.16.200.1”, “port”: “500”, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “FortiGate-100D”, “topology_role”: “spoke” }
Member: { “SN”: “FG900D3915800083”, “IPv4”: “172.16.200.4”, “port”: “500”, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch3”, “topology_role”: “spoke” }
Member: { “SN”: “FGT51E3U16001314”, “IPv4”: “172.16.200.199”, “port”: “500”, “slot”: 1002, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch2”, “topology_role”: “spoke” } l Branch_1 # dagnose vpn tunnel list
list all ipsec tunnel in vd 0
——————————————————
name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0 stat: rxp=0 txp=7 rxb=0 txb=588
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate
src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0
SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105
enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0 ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214
dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064
proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate
src: 0:10.1.100.0-10.1.100.255:0 dst: 0:172.16.101.0-172.16.101.255:0
SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1 ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192
enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999 ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-3.2 ver=2 serial=3 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=2 child_num=0 refcnt=11 ilast=6 olast=6 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.2 proto=0 sa=1 ref=2 serial=8 auto-negotiate
src: 0:10.2.100.0-10.2.100.255:0 dst: 0:192.168.5.0-192.168.5.255:0
SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42930/43200
dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28 ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b
enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764 ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=_OCVPN2-3.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-4.2 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=2 child_num=0 refcnt=11 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.2 proto=0 sa=1 ref=2 serial=7 auto-negotiate
src: 0:10.2.100.0-10.2.100.255:0 dst: 0:172.16.102.0-172.16.102.255:0
SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42905/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44 ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb
enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
- Branch_1 # get router info routing-table all
| Routing table for VRF=0
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP |
|
| O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default |
|
| S* | 0.0.0.0/0 [10/0] via 172.16.200.254, port1 |
| C | 10.1.100.0/24 is directly connected, dmz |
| C | 10.2.100.0/24 is directly connected, loop |
| C | 11.101.1.0/24 is directly connected, wan1 |
| C | 11.102.1.0/24 is directly connected, wan2 |
S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2
C 172.16.200.0/24 is directly connected, port1
S 172.16.101.0/24 [20/0] is directly connected, _OCVPN2-4.1
S 172.16.102.0/24 [20/0] is directly connected, _OCVPN2-4.2
S 192.168.4.0/24 [20/0] is directly connected, _OCVPN2-3.1
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!