Skip to main content
kerlerom44
kerlerom44
New Member
September 4, 2025
Question

Fortigate 60F/40F IPsec tunnels instability behind an ISP box (with NAT-T)

  • September 4, 2025
  • 3 replies
  • 704 views

Several IPsec "tunnel-down" per day :

FGT ===VPN IPsec tunnel=== ISP box (SFR operator) ==fiber access==> Internet

 

(also many DPD_failure or ESP_error) : reduced by modifying tunnel parameters :

NAT-T = forced, DPD = OnIdle, retry=6, intv=45s

- no way to customize MTU at tunnel level (FGT GUI)

Anyway there are still many "tunnel-down" per day (re-established automatically after:

tunnel up). Many LAN users get network outages (Teams, Outlook etc...)

 

- ISP box in NAT traversal mode (ESP encapsulated in UDP 4500)

- Many sites are impacted. build = v7.2.11 firmware

 

Support ticket is opened at SFR operator side (SFR box or backbone ?)

Could it be a known firmware or configuration issue/bug at Fortinat side ?

 

Thanks

3 replies

Anthony_E
Staff
Anthony_E
Staff
September 8, 2025

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 10, 2025

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

Thanks,

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
September 11, 2025

Hello kerlerom44,

 

I found this solution. Can you tell me if it helps, please?

 

Based on the provided context, here are some steps and considerations to address the frequent IPsec tunnel-down issues:

 

  1. MTU Size: Although you mentioned the inability to customize MTU at the tunnel level via the GUI, you can check and adjust the MTU size using CLI commands. Ensure that the MTU size is appropriate for the overhead introduced by IPsec.

  2. DPD and NAT-T Settings: You have already adjusted the DPD and NAT-T settings. Ensure that these settings are consistent across all devices involved in the VPN connection.

  3. ISP and NAT Traversal: Since the ISP box is in NAT traversal mode, ensure that port forwarding for UDP ports 500 and 4500 is correctly configured on the ISP box.

  4. Firmware Version: You are using firmware version 7.2.11. Check the release notes for this version to see if there are any known issues related to IPsec VPNs. The context provided does not list specific issues for version 7.2.11, but it is worth verifying with the latest release notes or Fortinet support.

  5. Monitoring and Logs: Use the `diagnose vpn tunnel list` command to monitor the tunnel status and gather more detailed logs. This can help identify patterns or specific triggers for the tunnel-down events.

  6. ISP Support: Since a support ticket is open with the ISP, continue to coordinate with them to rule out any issues on their side, such as NAT or backbone problems.

  7. Fortinet Support: If the issue persists, consider escalating the issue with Fortinet support for further analysis, especially if it might be related to a firmware bug or configuration issue.

 

By following these steps, you can systematically troubleshoot and potentially resolve the frequent tunnel-down issues.

Jean-Philippe - Fortinet Community Team
kerlerom44
kerlerom44Author
New Member
September 11, 2025

Hello Jean-Philippe_P,

 

Thank you for your reply.

Here is the status on my network/sdwan side :

(issue is still existing)

1. MTU size : I couldn't find the proper CLI commands (seems not available) in order to setup manually MTU at VPN level (or physical interface wan)

 

2. Quite difficult to find the proper timers but at least with 6/45 dpd_failure has gone

 

3. I don't have access to the ISP boxes (SFR property) : I guess port-forwarding works because tunnel established initially (unless the NAT-T or table inside ISP box flushes periodically or goes into timeout : who knows ?)

 

4. I will have a look on the latest official release note of firmware version of 40F/60F; but I'am waiting for a feedback from Fortinet support of my company

 

5. I'am waiting for a feedback from Fortinet support of my company (already provided some trace)

 

6. SFR operator : the most difficult part ! An expert Level4 is investigating. So far no root cause identified. (I connected a "witness" Fortigate40F behind an Orange LiveBox and my tunnels are 100% stable since one week ! (but without any trafic from LAN side)).

I'am afraid that the "Grand Public" SFR ISP boxes installed (FTTH access) are not reliable enough to allow endless IPSec tunneling (I might be wrong)

 

7. Ticket opened also at SFR/Fortinet side

 

Kind Regards,

 

    Jean-Philippe_P
    Staff & Editor
    Jean-Philippe_P
    Staff & Editor
    September 11, 2025

    Here is what I found on your issue still existing:

     

    To address the issues you're facing with IPsec VPN and SD-WAN, consider the following steps:

     

    1. Adjusting MTU Size:
      - To manually set the MTU on a VPN interface, use the following CLI commands:
      config system interface
      edit <vpn-interface-name>
      set mtu-override enable
      set mtu <desired-mtu-value>
      end

      - For a physical WAN interface, use: 
      config system interface
      edit <wan-interface-name>
      set mtu-override enable
      set mtu <desired-mtu-value>
      end

    2. DPD and NAT-T: Ensure that Dead Peer Detection (DPD) and NAT Traversal (NAT-T) settings are consistent and optimized for your network environment.

    3. ISP Box Configuration: Since you don't have access to the ISP boxes, coordinate with the ISP to ensure proper port forwarding and NAT settings. The periodic flushing or timeout of NAT tables could indeed affect tunnel stability.

    4. Firmware and Support:
      - Review the release notes for your specific FortiGate model and firmware version for any known issues or updates.
      - Continue to work with Fortinet support and provide them with detailed logs and traces for further analysis.

    5. ISP Investigation: Collaborate closely with the ISP's technical team to identify any potential issues with their equipment or network that could be affecting the VPN stability.

    6. Testing with Alternative ISPs: Your test with the Orange Livebox suggests that the issue might be related to the SFR ISP boxes. Consider testing with alternative ISPs if possible.

    7. Ongoing Communication: Keep communication open with both Fortinet and the ISP to ensure all parties are aligned and working towards a resolution.

     

    By following these steps and maintaining open communication with support teams, you can work towards identifying and resolving the root cause of the VPN instability.

    Jean-Philippe - Fortinet Community Team
    Terms & ConditionsAccessibility statement