Skip to main content
ctyctyctctcty
ctyctyctctcty
New Member
November 4, 2024
Question

ADVPN Tunnel Packet Loss Issues

  • November 4, 2024
  • 4 replies
  • 2919 views

Hey everyone,

I'm working with a FortiGate 40F setup, using an ADVPN with IPsec to connect 1 hub and 2 spokes. For routing internal traffic through the ADVPN tunnel, I'm relying on SD-WAN rules and SLA checks.

Just to add some context, I'm using my ISP’s WAN interface as the ADVPN tunnel interface, and it’s set up to get an IPv6 address from FortiGuard. That part is working smoothly—no issues with IPv6 or IPv4 internet connectivity at all.

The problem:I’m experiencing a consistent packet loss between 30% and 70% on the ADVPN tunnel interfaces, as indicated by the SD-WAN SLA ping checks. This packet loss is specific to the ADVPN tunnel interfaces, while other connections seem unaffected.

What I have tried out:
MTU adjustments (to 1380) ~~not working
Enabled FEC on one of the device ~~not working

Are there anything else i should try? I’d really appreciate any insights or advice!
image.png




4 replies

Umer221
Staff
Umer221
Staff
November 4, 2024

Hello @ctyctyctctcty 

Try running a sniffer on the source and destination side to see where the loss is occurring.

dia sniffer packet "host x.x.x.x and icmp" 4 0 l

 

Try using the above command, where x.x.x.x is the source IP address that you have on performance SLA. Run the sniffer command on the source as well as on destination FortiGate if both sides are FortiGate.
Check if one side is sending and other side is not receiving or other side receives but the returning traffic is not reaching the original source?

ctyctyctctcty
ctyctyctctctyAuthor
New Member
November 5, 2024

Hello @Umer221 

I checked the VPN event logs on the hub, and it looks like whenever one tunnel (like to Spoke-A) connects, the other tunnel (to Spoke-B) disconnects. This keeps happening back and forth, so only one tunnel is active at any time, which is causing around 50% packet loss.

Phase 1 seems fine, but something seems off with Phase 2. I’ve attached a screenshot showing this pattern in the logs. Here’s the current Phase 2 config on all three devices:

 

set phase1name "xxxxxx"

set proposal aes128-sha256
set keepalive enable

Could you give me some suggestions about this?

Thank you!

image.pngimage.png

Umer221
Staff
Umer221
Staff
November 6, 2024

Thank you for responding @ctyctyctctcty,

 

Could you check how the destination is responding configured in the Performance SLA? How SD-WAN is configured and what are the priorities.

 

The Phase 1 setup seems stable, but Phase 2 is where the problem arises.


This issue requires detailed analysis. I would recommend reaching out to TAC support for in-depth troubleshooting, as this issue requires in depth troubleshooting.

ctyctyctctcty
ctyctyctctctyAuthor
New Member
November 11, 2024

@Umer221 
Disabling the add-route option in the VPN configuration resolved the issue.
Thank you for your guidance.

    Terms & ConditionsAccessibility statement