OCVPN troubleshooting

Leave a reply

Hub-spoke with ADVPN shortcut troubleshooting

  • Primary-Hub # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Primary-Hub

Server Status        : Up

Registration time    : Sat Mar 2 11:31:54 2019

Poll time : Sat Mar 2 11:46:02 2019 l Spoke1 # diagnose vpn ocvpn status

Current State        : Registered

Topology             : Dual-Hub-Spoke

Role                 : Spoke

Server Status        : Up

Registration time    : Sat Mar 2 11:41:22 2019

Poll time            : Sat Mar 2 11:46:44 2019

l Primary-Hub # diagnose vpn ocvpn show-members

Member: { “sn”: “FG900D3915800083”, “ip_v4”: “172.16.200.4”, “port”: 500, “slot”: 0, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Primary-Hub”,

“topology_role”: “primary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15828488”, “ip_v4”: “172.16.200.2”, “port”: 500, “slot”: 1, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Secondary-

Hub”, “topology_role”: “secondary_hub”, “eap”: “disable”, “auto_discovery”: “enable” }

Member: { “sn”: “FG100D3G15801621”, “ip_v4”: “172.16.200.1”, “port”: 500, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke1”, “topology_role”: “spoke” }

Member: { “sn”: “FGT51E3U16001314”, “ip_v4”: “172.16.200.3”, “port”: 500, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “name”: “Spoke2”, “topology_role”: “spoke” } l Primary-Hub # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 4

Max-free :: 3 l Primary-Hub # diagnose vpn ocvpn show-overlays

QA

PM l Spoke1 # diganose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=34 rxb=152 txb=2856

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2

enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 ——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=46 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42895/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd

enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=934 olast=934 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  • Spoke1 # get router info routing-table all

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1

  • Generate traffic from Spoke1 to Spoke2 to trigger the ADVPN shortcut and check the VPN tunnel and routing-table again on Spoke1.

branch1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0_0 ver=2 serial=a 172.16.200.1:0->172.16.200.3:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/720 options[02d0]=create_ dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=_OCVPN2-0.0 index=0

proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=r/2 stat: rxp=7 txp=7 rxb=1064 txb=588

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate add-route adr

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=43180/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000008 itn=0 qat=0

life: type=01 bytes=0/0 timeout=43187/43200

dec: spi=048477c9 esp=aes key=16 27c35d53793013ef24cf887561e9f313 ah=sha1 key=20 2c8cfd328c3b29104db0ca74a00c6063f46cafe4

enc: spi=fb9e13fd esp=aes key=16 9d0d3bf6c84b7ddaf9d9196fe74002ed ah=sha1 key=20 d1f541db787dea384c6a4df16fc228abeb7ae334

dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064 ——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=12 ilast=7 olast=7 ad=r/2 stat: rxp=2 txp=35 rxb=304 txb=2940

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=65 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=2 esn=0 replaywin_lastseq=00000002 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c7 esp=aes key=16 240e064c0f1c980ca31980b9e7605c9d ah=sha1 key=20 6ff022cbebcaff4c5de62eefb2e6180c40a3adb2

enc: spi=dfcffa86 esp=aes key=16 862208de164a02af377756c2bcabd588 ah=sha1 key=20 af6e54781fd42d7a2ba2119ec95d0f95629c8448

dec:pkts/bytes=1/84, enc:pkts/bytes=1/152

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=5 olast=5 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=66 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42500/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=048477c8 esp=aes key=16 701ec608767f4988b76c2f662464e654 ah=sha1 key=20 93c65d106dc610d7ee3f04487f08601a9e00ffdd

enc: spi=dfcffa87 esp=aes key=16 02b2d04dce3d81ebab69e128d45cb7ca ah=sha1 key=20 4a9283847f852c83a75691fad44d07d8409a2267

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1328 olast=1328 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S*     0.0.0.0/0 [10/0] via 172.16.200.254, port1

C      10.1.100.0/24 is directly connected, dmz

C      10.2.100.0/24 is directly connected, loop

C      11.101.1.0/24 is directly connected, wan1

C      11.102.1.0/24 is directly connected, wan2

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-0.1

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-0.0

S      192.168.4.0/24 [15/0] via 172.16.200.3, _OCVPN2-0.0_0

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-0.1

l Simulate the primary hub being unavailable where all spoke’s dialup VPN tunnels will switch to the secondary hub, to check VPN tunnel status and routing-table.

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-0.0 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=25 olast=25 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=82 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.0 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.0 ver=2 serial=8 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=14 olast=14 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.0 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42723/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=048477cd esp=aes key=16 9bb363a32378b5897cd42890c92df811 ah=sha1 key=20 2ed40583b9544e37867349b4adc7c013024d7e17

enc: spi=f345fb42 esp=aes key=16 3ea31dff3310b245700a131db4565851 ah=sha1 key=20 522862dfb232514b845e436133b148da0e67b7c4

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

——————————————————

name=_OCVPN2-0.1 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=83 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-0.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-1.1 ver=2 serial=7 172.16.200.1:0->172.16.200.2:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=12 olast=12 ad=r/2 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=9 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=_OCVPN2-1.1 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=1a227 type=00 soft=0 mtu=1438 expire=42728/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42902/43200

dec: spi=048477cf esp=aes key=16 b6f0ca7564abcd8559b5b0ebb3fd04c1 ah=sha1 key=20 4130d040554b39daca72adac7583b9cc83cce3c8

enc: spi=f345fb43 esp=aes key=16 727582f20fcedff884ba693ed2164bcd ah=sha1 key=20 b0a625803fde701ed9d28d256079e908954b7fc8

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP
  O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default
S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1
C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
C 11.102.1.0/24 is directly connected, wan2
S 172.16.102.0/24 [21/0] is directly connected, _OCVPN2-1.1
C 172.16.200.0/24 is directly connected, port1
S 172.16.101.0/24 [21/0] is directly connected, _OCVPN2-1.0

S      192.168.4.0/24 [21/0] is directly connected, _OCVPN2-1.0

S      192.168.5.0/24 [21/0] is directly connected, _OCVPN2-1.1

Pages: 1 2 3
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.