IPsec VPN troubleshooting

Fortinet Take-out Menu

Troubleshoot VPN connections with these 10 tips
He has written thousands of articles and written or contributed to dozens of books on a variety of IT subjects. It turned out that the user had installed a freeware VPN client because a friend had told him it was much better than what he'd been using. If you can access previously inaccessible resources by using IP addresses, you can bet that a DNS problem is to blame. For debugging purposes, sometimes it is best for all the traffic to be processed by software. This kind of information in the resulting output can make all the difference in determining the issue with the VPN. Routing problems may be affecting DHCP. Remember, not all VPN problems involve connection failures.

2: Check to see whether users can establish VPN connectivity


If there are many proposals in the list, this will slow down the negotiating of Phase 1. If its too slow, the connection may timeout before completing. If this happens, try removing some of the unused proposals. If routing is not properly configured with an entry for the remote end of the VPN tunnel, traffic will not flow properly.

You may need static routes on both ends of the tunnel. If routing is the problem, the proposal will likely setup properly but no traffic will flow. If one end of an attempted VPN tunnel is using XAuth and the other end is not, the connection attempt will fail. The log messages for the attempted connection will not mention XAuth is the reason, but when connections are failing it is a good idea to ensure both ends have the same XAuth settings.

Most connection failures are due to a configuration mismatch between the FortiGate unit and the remote peer. Skip to content Share this post: The first diagnostic command worth running, in any IPsec VPN troubleshooting situation, is the following: Another appropriate diagnostic command worth trying is: If your VPN fails to connect, check the following: Ensure that you have allowed inbound and outbound traffic for all necessary network services, especially if services such as DNS or DHCP are having problems.

Check that a static route has been configured properly to allow routing of VPN traffic. Ensure that both ends of the VPN tunnel are using Main mode, unless multiple dial-up tunnels are being used. You can use the diagnose vpn tunnel list command to troubleshoot this. Ensure that the Quick Mode selectors are correctly configured. If part of the setup currently uses firewall addresses or address groups, try changing it to either specify the IP addresses or use an expanded address range.

This is especially useful if the remote endpoint is not a FortiGate device. Remove any Phase 1 or Phase 2 configurations that are not in use. When you are finished, disable the diagnostics by using the following command: Dialup connection A dialup VPN connection has additional steps.

Troubleshooting VPN connections If you have determined that your VPN connection is not working properly through troubleshooting, the next step is to verify that you have a Phase2 connection. Before you begin troubleshooting, you must: For this example, default values were used unless stated otherwise.

Stop any diagnose debug sessions that are currently running with the CLI command diagnose debug disable Clear any existing log-filters by running diagnose vpn ike log-filter clear Set the log-filter to the IP address of the remote computer The command is diagnose vpn ike log-filter dst-addr4 Set up the commands to output the VPN handshaking. This makes the remote FortiGate the initiator and the local FortiGate becomes the responder. Establishing the connection in this manner means the local FortiGate will have its configuration information as well as the information the remote computer sends.

Having both sets of information locally makes it easier to troubleshoot your VPN connection. Watch the screen for output, and after roughly 15 seconds enter the following CLI command to stop the output.

Saving the output to a file can make it easier to search for a particular phrase, and is useful for comparisons. A successful negotiation proposal will look similar to: IPsec SA connect 26 NPU offloading is supported when the local gateway is a loopback interface. Check your routing If routing is not properly configured with an entry for the remote end of the VPN tunnel, traffic will not flow properly. General troubleshooting tips Most connection failures are due to a configuration mismatch between the FortiGate unit and the remote peer.

Ping the remote network or client to verify whether the connection is up. Traceroute the remote network or client. If DNS is working, you can use domain names. Otherwise use IP addresses. Check the routing behind the dialup client. Routing problems may be affecting DHCP. Verify the configuration of the FortiGate unit and the remote peer. Check the following IPsec parameters: The authentication method preshared keys or certificates used by the client must be supported on the FortiGate unit and configured properly.

If preshared keys are being used for authentication purposes, both VPN peers must have identical preshared keys. The remote client must have at least one set of Phase 1 encryption, authentication, and Diffie-Hellman settings that match corresponding settings on the FortiGate unit. If users are attempting to connect from their own computer, you can't assume anything about the system they're using.

This probably sounds silly, but when users tell me that they are having trouble logging in to the VPN, one of the first things I do is verify that they can log in locally. I once had a user complain of VPN problems. I spent a lot of time trying to troubleshoot the issue. When nothing I tried seemed to make any difference, I decided to double-check the user's account to see whether there were any restrictions on it. When I did, I noticed that the account was locked out. I unlocked the account and tried again, but it wasn't long before the account was locked again.

I reset the user's password and was able to log in without any problems. When I told the user about it, he told me that he'd never been able to log in with that account. When I asked how he got his work done each day, he told me that he always logged in as one of his coworkers. You can't make this stuff up. Ever since that incident, I always like to verify that the user's account is working properly.

Another thing I like to check is whether affected users are connecting from computers that are behind a NAT firewall. Normally, NAT firewalls aren't a problem. However, some older firewalls don't work properly with VPN connections.

Microsoft created the Network Access Protection feature as a way for administrators to protect network resources against remote users whose computers are not configured in a secure manner.

One problem I have seen a few times is that Network Access Protection is based on group policy settings. Therefore, if a user attempts to connect from a computer that is not a domain member, NAP will not work properly.

Depending on how the VPN is configured, either the health of the user's computer will be ignored or the user will be denied access to the network. It is also common to configure NAP so that if a user's computer fails the various health checks, a VPN connection is established to an isolated network segment containing only the resources necessary to address the health problem sometimes through automatic remediation.

When this happens, some users may not understand what is going on and may assume that there is a problem with the VPN. If users can log in to the VPN but they can't do anything once they're connected, the next step is to systematically attempt to connect to various resources on the network. This is important because you may find that some network segments are accessible while others are not. However, I once saw a situation in which the DHCP server had been configured incorrectly, and users who were assigned addresses from one specific scope couldn't access remote network segments.

You can also try connecting to network resources by their IP address instead of by their name. If you can access previously inaccessible resources by using IP addresses, you can bet that a DNS problem is to blame.

Sometimes, users may find that although a VPN connection is functional, it is painfully slow. When this happens, you will have no choice but to do some performance monitoring on your infrastructure servers to ensure that they are not experiencing performance bottlenecks.

I have found that if the infrastructure servers are the source of performance problems, you will usually have multiple users complaining about poor performance. If only a single user is complaining, the problem is likely to be related to that user's Internet connection. I recently stayed at a hotel whose Internet service was so slow that I had difficulty even checking my email.

If that happened to an end user, he or she might assume that the hotel's Internet service was running at a normal speed but that the VPN server was having problems.

1: Find out who is affected

Leave a Reply