IPSecVPN Flush and reset the Tunnels – Fortigate

Sometimes there were some issues with IPSec VPN tunnels on fortigate. Here some commands to clear the SA Sessions.

List the Tunnel VPN:

diagnose vpn tunnel list | grep name

Choose the name that you want to reset

diag vpn tunnel flush *Tunnel_NAME*
diag vpn tunnel reset *Tunnel_NAME*

If this not works clear the sessions on firewall:
Create a filter which the IP that you want to clear.

diagnose sys session filter dst *IP_THAT_IS_STUCK*

Show if the filter shows the correct lines:

diagnose sys session filter

If is everything ok, clear the session:

diagnose sys session clear

Then flush and reset the VPN again (In both sides)

Troubleshooting Fortigate Firewall Policies

For a simple and fast “debug” you could use the diagnose command:
example:

diagnose sniffer packet any "(host {IP1_TO_DEBUG} and host {IP2_TO_DEBUG}) and icmp" 4

If you need more details, use diag debug:

diag debug enable 
diag debug flow filter add {IP_TO_DEBUG}
diag debug flow show console enable
diag debug flow trace start 100          <== this will display 100 packets for this flow

To stop all other debug, type:

diag debug flow trace stop

or

diad debug disable