Troubleshooting Tip: ADVPN Hub-and-Spoke tunnels fail after upgrade to FortiOS v7.4.9+ when Mode-CFG (assign-ip) is enabled on tunnels with manually configured overlay IPs

The issue occurs when both conditions below are present:

1. The IPsec tunnel interface has a manually assigned overlay IP address (as in a normal ADVPN design).

2. The Phase1-interface has Mode-CFG enabled with assign-ip enable.

Example of configuration:

config system interface
    edit "ADVPN-HUB1"
        set ip 10.10.10.2 255.255.255.255
        set remote-ip 10.10.10.1 255.255.255.255

end

config vpn ipsec phase1-interface
    edit "ADVPN-HUB1"
        set mode-cfg enable
        set assign-ip enable

end

Symptoms:

• All spoke VPN connections to the hub are down after the upgrade.

• IKE debug on the spoke shows an error similar to'connection expiring due to mode-cfg client IPv4 error FortiGate'.

IKE Debug Logs:

On the Spoke:

ike V=root:0:vpn-pfi-hub: connection expiring due to mode-cfg client IPv4 error

ike V=root:0:vpn-pfi-hub: going to be deleted

ike V=root:0:vpn-pfi-hub: schedule auto-negotiate

On the Hub:

twin connection

Solution:

Before the upgrade, change the spoke configuration to the following:

config vpn ipsec phase1-interface
    edit <Phase1-Name>
        set assign-ip disable
        unset mode-cfg
    next
end