FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 14 - IPsec VPN > GRE over IPsec (Cisco VPN) > Troubleshooting


This section describes some checks and tools you can use to resolve issues with the GRE-over-IPsec VPN.

Quick checks

Here is a list of common problems and what to verify.

Problem What to check
No communication with remote
Use the execute ping command to ping the Cisco device public interface.

Use the FortiGate VPN Monitor page to see whether the IPsec tunnel is up or can be brought up.
IPsec tunnel does not come up. Check the logs to determine whether the failure is in Phase 1 or Phase 2.

Check that the encryption and authentication settings match those on the Cisco device.

Check the encapsulation setting: tunnel-mode or transport-mode. Both devices must use the same mode.
Tunnel connects, but there is no
Check the security policies. See Troubleshooting.

Check routing. See Troubleshooting.

Setting up logging

To configure FortiGate logging for IPsec
  1. Go to Log & Report > Log Config > Log Settings.
  2. Select the Event Logging.
  3. Select VPN activity event.
  4. Select Apply.
To view FortiGate logs
  1. Go to Log & Report > Event Log > VPN.
  2. Select the log storage type.
  3. Select Refresh to view any logged events.

GRE tunnel keepalives

In the event that each GRE tunnel endpoint has keepalive enabled, firewall policies allowing GRE are required in both directions. The policy should be configured as follows (where the IP addresses and interface names are for example purposes only):

config firewall policy

edit < id >

set srcintf "gre"

set dstintf "port1"

set srcaddr ""

set dstaddr ""

set action accept

set schedule "always"

set service "GRE"



GRE tunnel with multicast traffic

If you want multicast traffic to traverse the GRE tunnel, you need to configure a multicast policy as well as enable multicast forwarding.

  • To configure a multicast policy, use the config firewall multicast-policy command.
  • To enable multicast forwarding, use the following commands:

config system settings

set multicast-forward enable


Using diagnostic commands

There are some diagnostic commands that can provide useful information. When using diagnostic commands, it is best practice that you connect to the CLI using a terminal program, such as puTTY, that allows you to save output to a file. This will allow you to review the data later on at your own speed without worry about missed data as the diag output scrolls by.

To use the packet sniffer
  1. Enter the following CLI command:

diag sniff packet any icmp 4

  1. Ping an address on the network behind the FortiGate unit from the network behind the Cisco router.

    The output will show packets coming in from the GRE interface going out of the interface that connects to the protected network (LAN) and vice versa. For example:

114.124303 gre1 in -> icmp: echo request

114.124367 port2 out -> icmp: echo request

114.124466 port2 in -> icmp: echo reply

114.124476 gre1 out -> icmp: echo reply


  1. Enter CTRL-C to stop the sniffer.
To view debug output for IKE
  1. Enter the following CLI commands

diagnose debug application ike -1

diagnose debug enable

  1. Attempt to use the VPN or set up the VPN tunnel and note the debug output.
  2. Enter CTRL-C to stop the debug output.
  3. Enter the following command to reset debug settings to default:

diagnose debug reset