FortiOS 7.4.2 Bug Causes IPsec VPN Tunnel Phase 2 Instability

Hi andybarker,

Please help to share more details about your network and device. What is your device version?  What kind of traffic is in your VPN tunnel? if it is okay for you, pls share the ticket number we can access to take a look at your configuration. Thanks

Regards

Bill

Hi andybarker, hi Bill,

i experienced the exact same behaviour on an FG101F running OS 7.4.2 talking to a Sophos appliance. To restart data flow if have to bring down the stalled Phase2 tunnel manually (!); tunnel restarts automatically.

The FG didnt recognized the stopped data flow by itself; there is no automatic detection/restart and the subtunnel is shown as green until manual stop.

We have 5 Phase2 tunnels active at that connection, only the most used one stops working from time to time. The duration between the stops vary from a minute to serveral hours.

Same behaviour have been seen (but only a few times) on an other ipsec tunnel talking to an FG60E (OS 7.0.13)

regards

Michael

@andybarker, could you please share your Fortinet Case number to get more information?

Thank you. 

Good Morning,
any news to this case?

Regards,

We have the same problem.
I upgraded all Fortigate (61F) to 7.4.2 firmware, except one. The latter (101F) remained on version 6.4.14.
All are communicating with one starpoint (VM1).
At this time, only 6.4.14 could establish a stable IPSec site-to-site connection with the star point. All the others dropped the connection at various times or failed to establish it.
A downgrade to 7.4.1 solved the problem, but the star point remained 7.4.2, and so now everything works fine.
But because of the SSLVPN vulnerability, it would be urgent to upgrade to 7.4.3, which would probably cause problems again with IPSec site-to-site connections.
What could be the solution?

Had the same issue - cluster of 200F 7.4.2 A/P to FGT 100F 7.4.1,  - IPSec tunnels stop transferring data, tunnel by all indicators stayed up but no data entered the tunnel, flushing IPSec SAs solved issue each time. Usual debug showed no problem. Temporarily "solved" by creating Automation stitch to flush/refresh problematic tunnels daily, until client rolled back to 7.4.1 on FGT200F. Now is the same dilemma - upgrade to 7.4.3 to fix SSL VPN vulnerability and suffer IPSec downs or roll back all the way to 7.0.14. 

Same here. Disabling Anti-Replay did not fix the issue. Downgrade to 7.4.1 did. Defo an issue with 7.4.2, most probably not fixed in 7.4.3. Fortinet support seem to count on one of us to test.

Orestis suggest that we upgrade and trigger the issue to be able to get logs. I am not keen, we need the tunnels UP. Any volunteer?

The next suggestion is to wait for next version.

I do not feel like we are getting support, especially since it is not still acknowledged it is a bug......

Here is the answer:

    Hello team

I followed up with the suggested link but without logs I cannot open an engineering report or confirm that this is a bug

I believe that you facing a problem but if we cannot investigate further we cannot specify what the issue is

in this case either create a maintenance window and update and provide us the logs to investigate or wait for the next version

Best regards
Orestis

I cannot spend any more time helping Fortinet Support troubleshoot this issue. I gave them five days of my time and many logs, remote sessions, etc. The first two technicians changed how my IPsec VPNs operated, and the third tech said the changes they made were wrong and needed to be reversed to the original settings. None of the changes they made helped at all.

I will be waiting to see if they admit it is a bug and say it is fixed.

Hi  andybarker,

Can you share the output of this command?

#get sys status

License Status: Low-Encryption(LENC) ----------------------->

---> FortiOS: 7.4.2

If you match this result, may have matched a known bug.