Hub-spoke with ADVPN shortcut troubleshooting
- Primary-Hub # diagnose vpn ocvpn status
Current State : Registered
Topology : Dual-Hub-Spoke
Role : Primary-Hub
Server Status : Up
Registration time : Sat Mar 2 11:31:54 2019
Poll time : Sat Mar 2 11:46:02 2019 l Spoke1 # diagnose vpn ocvpn status
Current State : Registered
Topology : Dual-Hub-Spoke
Role : Spoke
Server Status : Up
Registration time : Sat Mar 2 11:41:22 2019
Poll time : Sat Mar 2 11:46:44 2019
l Primary-Hub # diagnose vpn ocvpn show-members
Member: { “sn”: “FG900D3915800083”, “ip_v4”: “172.16.200.4”, “port”: 500, “slot”: 0, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Primary-Hub”,
“topology_role”: “primary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }
Member: { “sn”: “FG100D3G15828488”, “ip_v4”: “172.16.200.2”, “port”: 500, “slot”: 1, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Secondary-
Hub”, “topology_role”: “secondary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }
Member: { “sn”: “FG100D3G15801621”, “ip_v4”: “172.16.200.1”, “port”: 500, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke1”, “topology_role”: “spoke” }
Member: { “sn”: “FGT51E3U16001314”, “ip_v4”: “172.16.200.3”, “port”: 500, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [
“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke2”, “topology_role”: “spoke” } l Primary-Hub # diagnose vpn ocvpn show-meta
Topology :: auto
License :: full
Members :: 4
Max-free :: 3 l Primary-Hub # diagnose vpn ocvpn show-overlays
QA
PM l Spoke1 # diganose vpn tunnel list
list all ipsec tunnel in vd 0
——————————————————
name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=34 rxb=152 txb=2856
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2
enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
——————————————————
name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ——————————————————
name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd
enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
——————————————————
name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
- Spoke1 # get router info routing-table all
Routing table for VRF=0
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default
S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1
C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
C 11.102.1.0/24 is directly connected, wan2
S 172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1
C 172.16.200.0/24 is directly connected, port1
S 172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0
S 192.168.4.0/24 [20/0] is directly connected, _OCVPN2-0.0
S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1
- Generate traffic from Spoke1 to Spoke2 to trigger the ADVPN shortcut and check the VPN tunnel and routing-table again on Spoke1.
branch1 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
——————————————————
name=_OCVPN2-0.0_0 ver=2 serial=a 172.16.200.1:0->172.16.200.3:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_ dev no-sysctl rgwy-chg frag-rfc accept_traffic=1
parent=_OCVPN2-0.0 index=0
proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=r/2 stat: rxp=7 txp=7 rxb=1064 txb=588
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate add-route adr
src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=43180/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000008 itn=0 qat=0
life: type=01 bytes=0/0 timeout=43187/43200
dec: spi=048477c9 esp=aes key=16 27c35d53793013ef24cf887561e9f313 ah=sha1 key=20 2c8cfd328c3b29104db0ca74a00c6063f46cafe4
enc: spi=fb9e13fd esp=aes key=16 9d0d3bf6c84b7ddaf9d9196fe74002ed ah=sha1 key=20 d1f541db787dea384c6a4df16fc228abeb7ae334
dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064 ——————————————————
name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=1 refcnt=12 ilast=7 olast=7 ad=r/2 stat: rxp=2 txp=35 rxb=304 txb=2940
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=65 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2
enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448
dec:pkts/bytes=1/84, enc:pkts/bytes=1/152
——————————————————
name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=5 olast=5 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=66 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42901/43200
dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd
enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
——————————————————
name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
Routing table for VRF=0
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default
S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1
C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
C 11.102.1.0/24 is directly connected, wan2
S 172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1
C 172.16.200.0/24 is directly connected, port1
S 172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0
S 192.168.4.0/24 [15/0] via 172.16.200.3, _OCVPN2-0.0_0
S 192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1
l Simulate the primary hub being unavailable where all spoke’s dialup VPN tunnels will switch to the secondary hub, to check VPN tunnel status and routing-table.
list all ipsec tunnel in vd 0
——————————————————
name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=82 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=14 olast=14 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42723/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42898/43200
dec: spi=048477cd esp=aes key=16 9bb363a32378b5897cd42890c92df811 ah=sha1 key=20 2ed40583b9544e37867349b4adc7c013024d7e17
enc: spi=f345fb42 esp=aes key=16 3ea31dff3310b245700a131db4565851 ah=sha1 key=20 522862dfb232514b845e436133b148da0e67b7c4
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
——————————————————
name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0
proxyid_num=1 child_num=0 refcnt=10 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=83 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-0.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
——————————————————
name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1
proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0
proxyid=_OCVPN2-1.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42728/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0
life: type=01 bytes=0/0 timeout=42902/43200
dec: spi=048477cf esp=aes key=16 b6f0ca7564abcd8559b5b0ebb3fd04c1 ah=sha1 key=20 4130d040554b39daca72adac7583b9cc83cce3c8
enc: spi=f345fb43 esp=aes key=16 727582f20fcedff884ba693ed2164bcd ah=sha1 key=20 b0a625803fde701ed9d28d256079e908954b7fc8
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
Routing table for VRF=0
Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP |
|
O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default |
|
S* | 0.0.0.0/0 [10/0] via 172.16.200.254, port1 |
C | 10.1.100.0/24 is directly connected, dmz |
C | 10.2.100.0/24 is directly connected, loop |
C | 11.101.1.0/24 is directly connected, wan1 |
C | 11.102.1.0/24 is directly connected, wan2 |
S | 172.16.102.0/24 [21/0] is directly connected, _OCVPN2-1.1 |
C | 172.16.200.0/24 is directly connected, port1 |
S | 172.16.101.0/24 [21/0] is directly connected, _OCVPN2-1.0 |
S 192.168.4.0/24 [21/0] is directly connected, _OCVPN2-1.0
S 192.168.5.0/24 [21/0] is directly connected, _OCVPN2-1.1
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!