Troubleshooting Playbooks

Step-by-step diagnostic workflows for identifying and resolving complex network and security infrastructure issues.

FortiGate → IKEv2 Phase 1 Fail

Check IKE SA status

get vpn ike status

Look for established SA. If empty, Phase 1 is failing.

Check Phase 1 proposals

diagnose vpn ike config list

Keep an eye out to match encryption / hash / DH with peer.

Check PSK

diagnose vpn ike config list

Verify PSK matches exactly (passwords are case sensitive).

Check interface binding

diagnose vpn ike gateway list

Confirm correct outbound interface used for tunnel.

Check firewall policy

show firewall policy

Ensure zone-to-zone policy allows UDP 500/4500.

Check routing to peer

get router info routing-table all

Valid route to peer IP must exist for Phase 1 to initiate.

Run IKE debug

diagnose debug app ike -1

diagnose debug enable

Look for INVALID_ID or TS_UNACCEPTABLE errors in deep debug output.

Check logs

execute log filter category 1

execute log display

Review last VPN events for explicit failure codes.

Zscaler ZIA → Upload Degradation

Check ZCC tunnel status

ZCC tray Advanced Tunnel Status

Confirm tunnel is established, not in a fallback state.

Check forwarding profile

ZIA Admin Policy Forwarding Rules

Confirm correct rule hitting for source IP/user.

Check SSL inspection bypass

ZIA Policy SSL Inspection

Check if upload domain is being inspected — which may cause slowness.

Test without Zscaler

Temporarily bypass ZCC

If speed restores, it confirms Zscaler is in the path causing the issue.

Check bandwidth control policy

ZIA Policy Bandwidth Control

Confirm no throttling rule is matching the affected user/group.

Check ZCC logs

ZCC Advanced Log Export

Look for tunnel resets or fallback events occurring during upload.

Run packet capture

Wireshark on client during upload

Look for TCP retransmissions or RST packets returning from the Zscaler node.

Check Zscaler node performance

ZIA Admin Analytics Cloud Performance

Verify that the node the user is connected to has no ongoing degradation alerts.

Cisco ISE → 802.1X Auth Fail

Check live authentications

ISE Operations RADIUS Live Logs

Find the specific failed auth event.

Check failure reason

Click on failed event Failure Reason field

Note exact error code causing the failure.

Check authentication policy

ISE Policy Policy Sets

Confirm the correct policy set is accurately matching the condition.

Check identity source

ISE Policy Authentication

Confirm if AD or LDAP identity source is connected and up.

Verify AD join status

ISE Administration Identity AD Test User

Confirm ISE can successfully reach AD and resolve the user.

Check supplicant config

On endpoint: check 802.1X profile, certificate, EAP method

The supplicant configuration must match the configured ISE policy.

Check switch config

show authentication sessions interface <int>

Confirm dot1x is enabled globally and on interface, and in the correct mode.

Check RADIUS shared secret

ISE Network Devices [device]

Verify secret matches switch config exactly (watch out for special characters).