OCVPN troubleshooting

OCVPN troubleshooting

This document includes troubleshooting steps for the following OCVPN network topologies:

Full mesh. l Hub-spoke with ADVPN shortcut. l Hub-spoke with inter-overlay source NAT.

For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.

Full mesh network topology troubleshooting

Branch_1 # diagnose vpn ocvpn status

Current State	: Registered
Topology	: Full-Mesh
Role	: Spoke
Server Status	: Up
Registration time	: Thu Feb 28 18:42:25 2019
Update time	: Thu Feb 28 15:57:18 2019
Poll time	: Fri Mar 1 15:02:28 2019

Branch_1 # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 3

Max-free :: 3

Branch_1 # diagnose vpn ocvpn show-overlays

PM l Branch_1 # diagnose vpn ocvpn show-members

Member: { “SN”: “FG100D3G15801621”, “IPv4”: “172.16.200.1”, “port”: “500”, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “FortiGate-100D”, “topology_role”: “spoke” }

Member: { “SN”: “FG900D3915800083”, “IPv4”: “172.16.200.4”, “port”: “500”, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch3”, “topology_role”: “spoke” }

Member: { “SN”: “FGT51E3U16001314”, “IPv4”: “172.16.200.199”, “port”: “500”, “slot”: 1002, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch2”, “topology_role”: “spoke” } l Branch_1 # dagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0 stat: rxp=0 txp=7 rxb=0 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105

enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0 ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214

dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064

proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:172.16.101.0-172.16.101.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1 ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192

enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999 ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-3.2 ver=2 serial=3 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=6 olast=6 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.2 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:192.168.5.0-192.168.5.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28 ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b

enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764 ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-3.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.2 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.2 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:172.16.102.0-172.16.102.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42905/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42927/43200

dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44 ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb

enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

Branch_1 # get router info routing-table all

Routing table for VRF=0 Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
	O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default
S*	0.0.0.0/0 [10/0] via 172.16.200.254, port1
C	10.1.100.0/24 is directly connected, dmz
C	10.2.100.0/24 is directly connected, loop
C	11.101.1.0/24 is directly connected, wan1
C	11.102.1.0/24 is directly connected, wan2

S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2

C 172.16.200.0/24 is directly connected, port1

S 172.16.101.0/24 [20/0] is directly connected, _OCVPN2-4.1

S 172.16.102.0/24 [20/0] is directly connected, _OCVPN2-4.2

S 192.168.4.0/24 [20/0] is directly connected, _OCVPN2-3.1

Pages: 1 2 3

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos

December 11, 2019 Administration Guides, FortiGate, FortiOS 6.2 No Comments

Share this:

Leave a Reply Cancel reply