Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bande18
New Contributor II

IPSEC Tunnel list not displaying

I am new to FortiOS but need to configure an IPSEC VPN to a Ubiquity EdgeRouter on the Fortigate 30E firewall. I went through the wizard and have successfully configured the basics using the Fortinet to Cisco template than I converted my tunnel to Custom to set my desired Phase1 and Phase2 parameters. All went well and I saved the config but now, when I click on IPSec Tunnels to display my available tunnels I get an error message saying "Entry not found" and the page lever loads. I have attached a screenshot of what exactly I'm seeing. I have tried different browsers but all have the same problem I am not sure what to do now to be able to continue setting up my VPN. Please help me resolve this problem.

1 Solution
bande18
New Contributor II

Thanks for the pointers.

 

I checked the static route but there isn't one for the tunnel.

I checked the objects but there isn't one that is related to this tunnel, only to another tunnel and the built-in ones.

I checked the policy and there isn't a policy that relates to this tunnel, only to another tunnel I have.

 

Please see the outputs I got in the attachment to this note.

 

What else can I try? Is it worth trying to upgrade firmware (a newer one is available) and/or reboot the box?

 

Thanks,

View solution in original post

10 REPLIES 10
Toshi_Esumi
Esteemed Contributor III

Especially in case of any GUI related you need to post FortiOS version, because almost all versions have GUI changes which comes with unique bugs. So any symptoms are dependents of the version.

But to verify if your tunnel is up, I recommend going to CLI and type "get vpn ipsec tunnel summary" like below:

   xxxxfg1 # get vpn ipse tun sum    'xxxxxx' xxx.xxx.xxx.xxx:0  selectors(total,up): 1/1  rx(pkt,err): 33817/0  tx(pkt,err): 10216/17 If you see anything like above, at lease the config is there and the problem is in GUI. But if it doesn't show anything, your config is gone somehow.

 

bande18
New Contributor II

Thanks for the reply. The FortiOS version is: v5.4.4,build1117 (GA)

 

Here is the output of the command you suggested:

 

FGT30E3U17035555 # get vpn ipsec tunnel summary 'GRAPEVINE' 173.15.57.28:0  selectors(total,up): 0/0  rx(pkt,err): 0/0  tx(pkt,err): 0/0

My primary goal is to fix the GUI problem since I need to make modifications to the tunnel config and potentially set up other tunnels as well. Any idea how I can get rid of the error message in the GUI?

 

Thanks,

ede_pfau
Esteemed Contributor III

First thought is that the phase1 or phase2 names contain a 'special' character, that is, non-ASCII, or a blank. You can try to delete it or rename it in the CLI, using quotes to mask the current name. Sometimes you can use a backslash (\) to mask the special character.

GUI will allow the entry but can't handle it. This has cropped up a in a few past versions of FortiOS.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bande18
New Contributor II

Here is what I show in the CLI for phase1(the second one is the IPSEC tunnel I created):

 

FGT30E3U17035555 # show vpn ipsec phase1-interface config vpn ipsec phase1-interface     edit "Remote-Phones"         set type dynamic         set interface "wan"         set keylife 10800         set peertype dialup         set mode-cfg enable         set proposal aes256-sha256         set dhgrp 16 14 5         set xauthtype chap         set authusrgrp "Remote-Phones"         set usrgrp "Remote-Phones"         set ipv4-start-ip 10.100.1.1         set ipv4-end-ip 10.100.1.100         set ipv4-netmask 255.255.255.0         set dns-mode auto     next     edit "snet"         set interface "wan"         set peertype any         set proposal 3des-sha1 3des-md5         set comments "VPN: GRAPEVINE (Created by VPN wizard)"         set dhgrp 5         set wizard-type static-cisco         set remote-gw 173.15.57.28         set psksecret ENC yLQjmGYqWmcGVl/X3wYIzzaH+0rBkZMQl9B8Gqpj+sswe3Wa1swCaAoOPb6DGZsgRakVW864rK6+XMpQnbc2JjR7Xagl4aD/xFlB8DcIZO21CuAs54292PrTY3XDKYvj4VYuMJJSdSGFSQT8dtuVV2yTr5p/h+pRQZsbsmgwA4Yd3Ruw6uNkV3ljrfSdteXhyVuyAw==     next end

 

Here is what I show for phase2(I do not have phase2 for my tunnel yet):

 

FGT30E3U17035555 # show vpn ipsec phase2-interface config vpn ipsec phase2-interface     edit "Remote-Phones"         set phase1name "Remote-Phones"         set proposal aes256-sha256         set dhgrp 16 14 5     next end

 

I do not see any special characters in the names here. Do you?

 

Thanks,

ede_pfau
Esteemed Contributor III

No, I don't.

Things I would do now:

1- delete the second phase1 and check whether the first phase1 shows up in GUI

2- recreate the Cisco tunnel in the CLI, not using the wizard ("set wizard=manual" or such). You've got the parameters from the CLI now (even if phase2 is missing).

 

Seems to be a glitch in the GUI. Sometimes the easy explanations/workarounds just don't take.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bande18
New Contributor II

Thank for the suggestions Ede! Here is what I came up with:

 

1 I am trying to delete the second phase1 and I get:

 

FGT30E3U17035555 # config vpn ipsec phase1-interface FGT30E3U17035555 (phase1-interface) # delete snet This phase1-interface is currently used command_cli_delete:5242 delete table entry snet unset oper error ret=-23 Command fail. Return code -23

I listed the config of the FW and searched for the keyword "snet" in it and the only place I could find it is under config vpn ipsec phase1-interface so I am not sure how it's being used. After some more google-ing I found a command to check dependencies of an object but again, I got no dependencies for this phase1 object:

 

FGT30E3U17035555 # diag sys checkused vpn.ipsec.phase1-interface:name 'snet' FGT30E3U17035555 #

 

I also searched for the keyword "GRAPEVINE" because that is how I named my VPN tunnel and the only place I could find it is under config system interface so I tried deleting that, again without success:

 

FGT30E3U17035555 (interface) # delete GRAPEVINE A tunnel interface cannot be deleted directly. command_cli_delete:5242 delete table entry GRAPEVINE unset oper error ret=-160 Command fail. Return code -160 FGT30E3U17035555 (interface) #

 

That is how far my beginner knowledge brought me so I am looking for further input from more experienced people on what to try next.

 

2 As for re-creating the tunnel, since I am very new to Fortinet, I would appreciate some step-by-step commands (or at least the outline of the process) on how exactly to do this. This box is in production already so I do not want to cause more problems than what I already have.

 

Thanks very much!

 

 

rwpatterson
Valued Contributor III

Did you create a static route for that tunnel? It has to be deleted first.

Did you create any address objects that reside on that tunnel? They too have to be deleted first.

Did you create any policies for that tunnel? They have to be deleted first.

 

You may have added an alias for the interface (Grapevine), but you cannot delete the interface that way. You didn't create it that way. Also names are case sensitive in the FortiOS.

 

Check the above areas for dependencies, and try to remove 'snet' again.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
bande18
New Contributor II

Thanks for the pointers.

 

I checked the static route but there isn't one for the tunnel.

I checked the objects but there isn't one that is related to this tunnel, only to another tunnel and the built-in ones.

I checked the policy and there isn't a policy that relates to this tunnel, only to another tunnel I have.

 

Please see the outputs I got in the attachment to this note.

 

What else can I try? Is it worth trying to upgrade firmware (a newer one is available) and/or reboot the box?

 

Thanks,

bande18
New Contributor II

Last night I rebooted the device and once it came back online, I was able to list the IPSEC tunnels successfully. I was also able to delete the IPSEC tunnel I created and I can hopefully start form scratch today. It is very weird that a GUI issues like this is solved by a reboot but looks like it happens sometimes. I will try to re-create the tunnel today and I will pay more attention to the steps I am taking. If I run into this issue again, hopefully I will figure out what change I made caused it. I will post that step here for others to avoid.

 

Thanks to everyone who offered advice in this matter! I appreciate it!

Labels
Top Kudoed Authors