Explorer

Question

FortiOS 7.4.2 Bug Causes IPsec VPN Tunnel Phase 2 Instability

Forum|Forum|2 years ago
January 22, 2024
28 replies
69828 views

I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.

I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.

FortiGate

Show previous replies

minheplus

New Member

Same problem here after upgrade from 7.4.1 to 7.4.3 (build 2573) on 401F ! when the next version for 7.4 will be available ?

BillH_FTNT

Staff

Hi @minheplus ,

What is your error output ? Can you share it here ?

panixx

Visitor III

What's the latest on this issue? I keep getting bugged to upgrade to 7.4.3 but that's not happening until the site-to-site ipsec issue is resolved. Running a 200F here.

Magnitude_8

Explorer

The bug still exists in 7.4.3 and it is my understanding that it will be fixed in 7.4.4 which should be released in the next couple weeks. This issue has Bug ID 1003830 and a workaround is provided in the release notes. Known issues | FortiGate / FortiOS 7.4.3 | Fortinet Document Library

panixx

Visitor III

7.4.4 has been released and it looks as though this issue still has not been resolved. Known issues still seems to state to use the work around.

Just trying to keep this post updated.

Brustolin

Explorer

I also updated to 7.4.4 and still have the same problem.
But we have the problem with many other things besides IPSec

Sandoval

New Member

Update 7.6.0 is available, has anyone updated it yet? In the documentation they reported that they resolved the bug.

1003830

IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.

Hendrik

New Member

Cluster update to 7.6.0 last week - since then short interruption for all services (HTTP, SMTP, SSH,...) behind simple firewall rules. After reboot of one device - ha out of sync with problems in read only profiles.

Support Ticket note: 7.6 is a point zero release, which we do not recommend for production environments. I suggest considering a rollback to the previously working version.

After downgrade to 7.4.4 everything went back to "normal" - with the known issues :(

From my point of view 7.6.0 is unusable.

Kangming

Staff

Please try the latest 7.2.9GA and 7.4.4GA which should include this fix, bug id #950445, 7.0.16GA will include this bug in the next release, currently, 7.0.15GA still has the problem.

montie_pl

New Member

Hey. Does version 7.4.5(Mature) have the same problem? I'm still sitting on 7.4.1 and I'm wondering whether to upgrade to the newer one.

Best regards.

pfit

Visitor III

I haven't been able to move to 7.4.5 because it breaks my Duo RADIUS 2FA.

aguerriero

Explorer

I got hit with that on 7.2.10, but was able to update the fortiauthenticator to 6.6.2 which supports message authenticator AVP.

Duo just released 6.4.2 yesterday and you can add the message authenticator to Duo now.

Forti-Wizard

Visitor III

I have the same problem on 7.4.5, but with only a single phase 2 selector. All other phase 2 selectors are okay. The issue does not occur if I uncheck "Auto-negotiate" on the phase 2 connector.

OLiH

Explorer

Same here. The issue is *NOT* fixed. The issue happens infrequently on the phase 2 that has the largest amount of traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded