Technical Tip: Troubleshooting IPsec VPN packets drops after upgrade to version 7.0.3

1. Take a sniffer L6 on the Firewall and validate if UDP traffic is sending 0x000. Note that the checksum of empty UDP packets is required to be 0xfff, as FDD is inspecting after the upgrade also this type of packet if the firewall is sending the wrong format, will be required to adjust on FortiDDoS, only on the Firewall-SPP.

IP Profile. See: IP Profile Overview - FortiDDOS-F handbook to disable these options and test VPN.

*UDP Empty Checksum Check (disable this option).

*IKE Strict Anomalies (disable this option).

*Tunnelling Attacks (disable this option).

Note:

On the rest of the SPP, keep this option enabled.

2. If the problem is still present, adjust the IPsec-related sys_reco value related to port 50, 4500. 

    

• Take an FDD backup (see Backing up and restoring the configuration - FortiDDOS Handbook). 
• Locate the sys_reco related to the IPsec port.

• Delete it, then create a custom for this specific IPsec port and adjust the value as required. 

Note:

Validate logs/drops on Layers 3, 4, and 7 related to UDP/Firewall-SPP to decide if a large threshold is required.

3. If the problem is still present, open a case with the Fortinet TAC Team (Technical Tip: FortiDDoS commands to open a new ticket to TAC).