Skip to main content
qaajak
qaajak
New Member
June 6, 2024
Question

AD-VPN Shortcut Tear-down

  • June 6, 2024
  • 1 reply
  • 2607 views

I'm proofing out an SD-WAN/AD-VPN configuration prior to replacing all of our site to site tunnels and have one question. Everything in my setup is working brilliantly, except that the shortcuts between the spokes seem to be persistent. I had assume that by default, they would tear down after being idle for a time? Is this the case or is it something else that needs to be configured?


I've been following Fortinet's SD-Branch Deployment Guide in building this out.

1 reply

fricci_FTNT
Staff
fricci_FTNT
Staff
June 6, 2024

Hi @qaajak,

 

The following articles might help you:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-client-to-site-C2S-IPsec-tunnel-to/ta-p/227155

https://community.fortinet.com/t5/FortiGate/Technical-Tip-ADVPN-Shortcut-Tear-down-became-possible-through/ta-p/279299

 

Best regards,

qaajak
qaajakAuthor
New Member
June 6, 2024

I've read both of those, and after setting the idle-timeout, I noticed this strange behavior in the IPSEC monitor (a second phase 2 showing down), which made me wonder if I was doing something wrong.

 

Screenshot 2024-06-06 110138.png

fricci_FTNT
Staff
fricci_FTNT
Staff
June 6, 2024

Hi @qaajak,

 

In the output below, do you see both phase2 (up and down) or just one?

show vpn ipsec phase1-interface
show vpn ipsec phase2-interface

diag vpn ike gateway list
diag vpn ike gateway summary
diag vpn ike gateway list name <vpn-name>

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-ADVPN-with-SD-WAN-troubleshooting/ta-p/275457
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-ADVPN/ta-p/199348

Best regards,

Terms & ConditionsAccessibility statement