Troubleshooting
This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.
Quick checks
Here is a list of common problems and what to verify.
Problem What to check
No communication with remote network.
Use the execute ping command to ping the Cisco device public interface.
Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up.
IPsec tunnel does not come up.
Check the logs to determine whether the failure is in Phase 1 or Phase 2.
Check that the encryption and authentication settings match those on the Cisco device.
Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode.
Tunnel connects, but there is no communication.
Check the security policies. See Troubleshooting on page 1796.
Check routing. See Troubleshooting on page 1796.
Setting up logging
To configure FortiGate logging for IPsec
1. Go to Log & Report > Log Settings.
2. Select the Event Logging.
3. Select VPN activity event.
4. Select Apply.
To view FortiGate logs
1. Go to Log & Report > VPN Events.
2. Select the log storage type.
3. Select Refresh to view any logged events.
GRE tunnel keepalives
In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):
config firewall policy edit < id >
set srcintf “gre” set dstintf “port1”
set srcaddr “1.1.1.1” set dstaddr “2.2.2.2” set action accept
set schedule “always” set service “GRE”
next end
Cisco compatible keep-alive support for GRE
The FortiGate can send a GRE keepalive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.
To configure keepalive query – CLI:
config system gre-tunnel edit <id>
set keepalive-interval <value: 0-32767>
set keepalive-failtimes <value: 1-255>
next end
GRE tunnel with multicast traffic
If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.
- To configure a multicast policy, use the config firewall multicast-policy command.
- To enable multicast forwarding, use the following commands:
config system settings
set multicast-forward enable end
Using diagnostic commands
There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.
To use the packet sniffer – CLI:
1. Enter the following CLI command:
diag sniff packet any icmp 4
2. Ping an address on the network behind the FortiGate unit from the network behind the Cisco router.
The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:
114.124303 gre1 in 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124367 port2 out 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124466 port2 in 10.11.101.10 -> 10.0.1.2: icmp: echo reply
114.124476 gre1 out 10.11.101.10 -> 10.0.1.2: icmp: echo reply
3. Enter CTRL-C to stop the sniffer.
To view debug output for IKE – CLI:
1. Enter the following CLI commands
diagnose debug application ike -1 diagnose debug enable
2. Attempt to use the VPN or set up the VPN tunnel and note the debug output.
3. Enter CTRL-C to stop the debug output.
4. Enter the following command to reset debug settings to default:
diagnose debug reset