Fortigate Redundant IPSEC Slow Failover Time

Question

Hello All,

I am currently trying to configure redundant IPSEC Tunnels between 2 Fortigate Units (a 60E and a 50E), with each site having 2 ISPs each.

While I have successfully configured the redundant tunnels, the times between failovers are very long.

If I'm running a ping from one end to the other and I disable the primary interface on one Fortigate unit, it will take about 90 seconds (15-16 timed out requests) before the Fortigates decide to use the secondary/tertiary routes. Reverting to the primary tunnel when the primary interfaces are up however are all very fast -- only about 5 seconds or 1 timed out request long.

Is there anything I can configure via the command line or something to speed up the failover process?

I have followed the following guides without success:

http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

http://kb.fortinet.com/kb...f&documentID=10684

Thank you very much!

Edit: I have tried this with 5.4.3 and 5.4.4 with similar results.

neonbit · Answer

Hi mda, I've seen this happen due to the default DPD timers in 5.4 being so high. The default timers when you create a interface based VPN are as follow:

dpd-retrycount : 3

dpd-retryinterval : 20

So the FGT will send a DPD packet every 20 seconds, and if three fail it will failover (so 60 seconds in total).

I'd recommend changing these timers to something more suitable for your environment. The CLI commands below will cause it to fail-over after 9 seconds:

config vpn ipsec phase1-interface

edit <vpn name>

set dpd-retrycount 3

set dpd-retryinterval 3

end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded