[showmyads]You can’t really debug VPN problems with static show commands, if VPN fails to function you HAVE to
see it happening real-time. Below I list few debug commands that do just that for IPSEC site-to-site
tunnels in Fortigate.
192.168.168.254 – IP address on the LAN interface of the fortigate
10.170.15.131′ – IP address on the remote LAN
22.214.171.124 – (sanitazed) IP of the wan interface of Fortigate
126.96.36.199 – (sanitazed) IP of the remote VPN peer
FG100A# diag debug en
– Enable debug messages for specific application , here we are interested in IKE (note debug level -1,
following logic I enabled first +1, 255 etc and surprisingly had no effect at all )
FG100A # diag debug app ike -1
Many times there is more than one solution to the problem, and the most obvious is not the best one. I
reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic,
you know this not-saying-much system alert “..has reached connection limit” and then no traffic goes from LAN to WAN.
Clearly being a resource starvation issue you may never know for sure what causes this , it may be
oversized rulebase, custom IPS , AV set on everything and everywhere, etc.,.. The only way to pinpoint the
misbehaving component is by elimination – disabling one by one until problem disappears. So for this
particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this
disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this
website. An internal fair use policy issue ? – yes of course, but the only way to implement the policy
was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would
be the better one I thought – but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt
an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP
range ) in the WAN facing Cisco router.
In the FortiOS 4 you can configure blackhole routing with no hassle:
FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable disable setting
enable enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst 188.8.131.52/20
FG100 (5) # end
FG100 # show router static
config router static
set blackhole enable
set dst 184.108.40.206 255.255.240.0
From station in LAN:
# ping 220.127.116.11
PING 18.104.22.168 (22.214.171.124) 56(84) bytes of data.
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable
Facebook IP range:
OrgName: Facebook, Inc.
Address: 156 University Ave, 3rd floor
City: Palo Alto
NetRange: 126.96.36.199 – 188.8.131.52