ADVPN Shortcut stuck in delete SA phase 1

Question

Hi all, My situation:I run SDWAN use ADVPN BGP on loopback between HQ and 4 branches, HQ is Hub and Branches is spokes.When Branch 1 talk to Branch 2. Spoke -  Spoke tunnel is established successfully, I set up tunnel idle timeout, and tunnel is down after 10 minutes, if no traffic, it's good.But, I have Br03 and Br04, they always talk each others, so Spoke-Spoke tunnel will not down after 10 minutes (it's correct). I set Lifetime phase 1 :1days and Lifetime phase 2: 12 Hours. And I saw trouble here: - After 1 days. spoke-spoke  tunnel between Br03 and Br04 is re-established but it has trouble, I saw in logs, it's stucked at action: delete_phase1_sa , around 5 minutes.  And after around 5 minutes, tunnel  spoke - spoke is not iusse, it working fine. And I saw log, after 5 minutes, Sopke-spoke only down. During 5 minutes, the trouble make loss connection between Br03-Br04. My connections: each BR has 2 ISP lines, BR03 tunnel of ISP1 connect to BR04 tunnel of ISP1, same: BR03 ISP2 <--> BR04 ISP2 , using IKEv2, and  all Firewall FGTs are using FortiOS 7.4.4. Actually, I still don't understand what is wrong? Hope get suggestion , thanks so much !

kaman · Answer

Hi tungnx59,The deletion of the Phase 1 SA is part of the rekeying process. The log message confirms that the VPN tunnel’s existing SA has been removed to allow a new SA to be negotiated. This is a common practice in IPsec VPNs to refresh encryption keys or when SA lifetimes expire. The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection.Please refer to the below document for more information:https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-IPsec-Phase1-SA-Deleted-Log-Message/ta-p/347470

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded