OCVPN troubleshooting

Hub-spoke with ADVPN shortcut troubleshooting

  • Primary-Hub # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Primary-Hub

Server Status        : Up

Registration time    : Sat Mar 2 11:31:54 2019

Poll time : Sat Mar 2 11:46:02 2019 l Spoke1 # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Spoke

Server Status        : Up

Registration time    : Sat Mar 2 11:41:22 2019

Poll time            : Sat Mar 2 11:46:44 2019

l Primary-Hub # diagnose vpn ocvpn show-members

Member: { “sn”: “FG900D3915800083”, “ip_v4”: “172.16.200.4”, “port”: 500, “slot”: 0, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Primary-Hub”,

“topology_role”: “primary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15828488”, “ip_v4”: “172.16.200.2”, “port”: 500, “slot”: 1, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Secondary-

Hub”, “topology_role”: “secondary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15801621”, “ip_v4”: “172.16.200.1”, “port”: 500, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke1”, “topology_role”: “spoke” }

Member: { “sn”: “FGT51E3U16001314”, “ip_v4”: “172.16.200.3”, “port”: 500, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke2”, “topology_role”: “spoke” } l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 4

Max-free :: 3 l Primary-Hub # diagnose vpn ocvpn show-overlays

QA

PM l Spoke1 # diganose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=34 rxb=152 txb=2856

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2

enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd

enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  • Spoke1 # get router info routing-table all

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1

  • Generate traffic from Spoke1 to Spoke2 to trigger the ADVPN shortcut and check the VPN tunnel and routing-table again on Spoke1.

branch1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0_0 ver=2 serial=a 172.16.200.1:0->172.16.200.3:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_ dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=_OCVPN2-0.0 index=0

proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=r/2 stat: rxp=7 txp=7 rxb=1064 txb=588

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate add-route adr

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=43180/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000008 itn=0 qat=0

life: type=01 bytes=0/0 timeout=43187/43200

dec: spi=048477c9 esp=aes key=16 27c35d53793013ef24cf887561e9f313 ah=sha1 key=20 2c8cfd328c3b29104db0ca74a00c6063f46cafe4

enc: spi=fb9e13fd esp=aes key=16 9d0d3bf6c84b7ddaf9d9196fe74002ed ah=sha1 key=20 d1f541db787dea384c6a4df16fc228abeb7ae334

dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064 ——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=12 ilast=7 olast=7 ad=r/2 stat: rxp=2 txp=35 rxb=304 txb=2940

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=65 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2

enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448

dec:pkts/bytes=1/84, enc:pkts/bytes=1/152

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=5 olast=5 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=66 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd

enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [15/0] via 172.16.200.3, _OCVPN2-0.0_0

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1

l Simulate the primary hub being unavailable where all spoke’s dialup VPN tunnels will switch to the secondary hub, to check VPN tunnel status and routing-table.

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=82 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=14 olast=14 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42723/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=048477cd esp=aes key=16 9bb363a32378b5897cd42890c92df811 ah=sha1 key=20 2ed40583b9544e37867349b4adc7c013024d7e17

enc: spi=f345fb42 esp=aes key=16 3ea31dff3310b245700a131db4565851 ah=sha1 key=20 522862dfb232514b845e436133b148da0e67b7c4

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=83 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42728/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=048477cf esp=aes key=16 b6f0ca7564abcd8559b5b0ebb3fd04c1 ah=sha1 key=20 4130d040554b39daca72adac7583b9cc83cce3c8

enc: spi=f345fb43 esp=aes key=16 727582f20fcedff884ba693ed2164bcd ah=sha1 key=20 b0a625803fde701ed9d28d256079e908954b7fc8

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

  O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1
C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
C 11.102.1.0/24 is directly connected, wan2
S 172.16.102.0/24 [21/0] is directly connected, _OCVPN2-1.1
C 172.16.200.0/24 is directly connected, port1
S 172.16.101.0/24 [21/0] is directly connected, _OCVPN2-1.0

S      192.168.4.0/24 [21/0] is directly connected, _OCVPN2-1.0

S      192.168.5.0/24 [21/0] is directly connected, _OCVPN2-1.1


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.