Skip to main content
viskanmai
viskanmai
New Member
December 26, 2025
Question

IPSec issues on 7.4.9

  • December 26, 2025
  • 1 reply
  • 1102 views

Hi All,

Has anyone noticed issues with IPSec site to site tunnels on 7.4.9?

We have one vendor who has been working fine before we upgraded a couple weeks back to version 7.4.9 in our Azure FG. Oddly enough our one firewall in HQ location which still is on 7.2.12 works fine.

When comparing the 2 tunnels from Azure FG and HQ FG doing pings to the vendor I noticed the HQ doesn't lose pings at all. Whereas the one in Azure will intermittently lose the pings and then come back on its own.

VPN settings for both FGs are the same along with vendor side.

Has anyone run into this so far? Any workarounds?

Happy Holidays All!

1 reply

kaman
Staff
kaman
Staff
December 28, 2025

Hi viskanmai,

If IPsec is being used on a public cloud environment (Azure, AWS) check the DOS policy and anomaly log, as slow throughput can be caused by UDP 4500/500 drops. Change the threshold value or disable the anomaly or the DOS policy to fix this.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPsec-traffic-is-offloaded-for-improved/ta-p/193493


If IPsec is configured on a hardware device, please verify whether there are any IPsec NPU drops. If so, disable the NPU under the IPsec tunnel and then check the behaviour:

diagnose npu np6 dce 0
diagnose npu np6 dce 1


Test by disabling NPU offloading under IPsec phase1 tunnel and check the behaviour:

config vpn ipsec phase1-interface
edit <phase1-name>
set npu-offload disable
end


https://docs.fortinet.com/document/fortigate/7.6.4/hardware-acceleration/636026/disabling-np-offloading-for-individual-ipsec-vpn-phase-1s


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

 

D
diansmith
New Member
June 2, 2026

Hi viskanmai,
 

If IPsec is being used on a public cloud environment (Azure, AWS) check the DOS policy and anomaly log, as slow throughput can be caused by UDP 4500/500 drops. Change the threshold value or disable the anomaly or the DOS policy to fix this.
 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPsec-traffic-is-offloaded-for-improved/ta-p/193493


If IPsec is configured on a hardware device, please verify whether there are any IPsec NPU drops. If so, disable the NPU under the IPsec tunnel and then check the behaviour:

diagnose npu np6 dce 0
diagnose npu np6 dce 1


Test by disabling NPU offloading under IPsec phase1 tunnel and check the behaviour:
 

config vpn ipsec phase1-interface
edit <phase1-name>
set npu-offload disable
end


https://docs.fortinet.com/document/fortigate/7.6.4/hardware-acceleration/636026/disabling-np-offloading-for-individual-ipsec-vpn-phase-1s


If you have found a solution, please like and accept it to make it easily accessible to others.


Regards,
Aman

 

Thanks for sharing these troubleshooting steps and helpful references, Aman.

Terms & ConditionsAccessibility statement