Troubleshooting Tip: Troubleshooting sudden loss in connectivity in IPSec site-to-site VPN despite functioning for some time.
| Description | This article describes the cause of sudden loss in connectivity even when both phase 1 and phase 2 are up. This could be due to a mismatch of subnet mask on Local and Remote Site. It stopped functioning when the site with the less specific subnet mask starts the tunnel negotiation. |
| Scope | FortiGate v7.0.11 and above, v7.2.1 and above. |
| Solution | To troubleshoot this, make sure the local network and remote network on both Sites have the same network size.
Example of the problem:
Local Network: 10.100.0.0 /24 Remote Network: 10.221.0.0 /24
Local Network: 10.221.0.0 /24 Remote Network: 10.100.0.0 /16
In this example, the configured Remote Network on Site-B is bigger than the configured Site-A’s Local Network. Only Site A can start the tunnel in the direction of Site B. If Site B tries to do the same, it will be refused by Site A due to the larger size of Site B’s network. The rationale why it only works for Site A is a smaller network size is regarded as more secure and will not be rejected by Site B.
In IPsec VPN configurations, while the phase 2 selectors do not have to match exactly on both ends of the tunnel, it is essential that they are configured to accommodate the intended traffic flow. This flexibility allows network administrators to define different subnets at each endpoint, enabling specific traffic types or segments to traverse the VPN tunnel efficiently, thus managing bandwidth and security based on organizational requirements. |