Skip to main content
Matt_B
Staff & Editor
Matt_B
Staff & Editor
March 18, 2026

Technical Tip: FortiGate in FGSP cluster does not disable static route when synced IPsec tunnel goes down

  • March 18, 2026
  • 0 replies
  • 234 views
Description This article describes an under-investigation issue with static routing that can be triggered by tunnel failure in a FortiGate Session Life Support Protocol (FGSP) deployment.
Scope FortiOS v7.4.
Solution

This issue is under investigationNote that the most common High Availability (HA) clustering protocol on FortiGate devices is FortiGate Clustering Protocol (FGCP), which is not affected by this issue.

 

In an affected FGSP cluster, an IPsec tunnel may not be properly flagged as inactive when the tunnel is down on a peer, causing associated static routes to remain in the active routing table.

 

Example affected configuration:

 

config router static

    edit <index>

        set dst 10.255.255.0 255.255.255.0

        set device "Cluster-HQ"

    next

end

 

config system standalone-cluster

    set standalone-group-id 1

    set group-member-id 1

        config cluster-peer

            edit 1

                set peerip 172.31.210.1

            next

        end

end

 

During the issue, no IPsec SA keys are visible in 'diagnose vpn tunnel list', indicating the tunnel is not able to pass traffic, but DPD status incorrectly shows 'ok':

diagnose vpn tunnel list

name=Cluster-HQ ver=2 serial=e 192.0.2.2:0->198.51.100.100:0 nexthop=192.0.2.1 tun_id=198.51.100.100 tun_id6=::198.51.100.100 status=up dst_mtu=1500 weight=1
bound_if=34 real_if=34 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options
[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=0 overlay_id=0

 

proxyid_num=1 child_num=0 refcnt=3 ilast=199 olast=199 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 status=ok idle=10000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Cluster-HQ proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0

 

Note: It is not required to enable fgsp-sync on the IPsec tunnel to trigger the issue; it can be observed when fgsp-sync is disabled.

 

config vpn ipsec phase1-interface

    edit "Cluster-HQ"

        set fgsp-sync disable

    next

end

 

Workaround:

To workaround the issue, apply one of the following methods:

  • Disable IPsec tunnel sync on each cluster member:

     

 

config system standalone-cluster

    config cluster-peer

        edit 1

            set peerip <Peer IP Adress>

            set ipsec-tunnel-sync disable <-- Also disables IKE and IPsec SA synchronization between tunnel peers.

        next

    end

end

 

  • Disable 'secondary-add-ipsec-routes' on the cluster peer:

 

config system standalone-cluster

    config cluster-peer

        edit 1

            set peerip <Peer IP Adress>

            set secondary-add-ipsec-routes disable

        next

    end

end

 

  • Implement a dynamic routing protocol, such as BGP or OSPF, to advertise and learn the required routes over the IPsec tunnel, and disable static routes for the tunnel.

 

Related documents:

FGSP per-tunnel failover for IPsec

Synchronization

FGSP static site-to-site IPsec VPN setup 
    Terms & ConditionsAccessibility statement