IPsec Phase 2 time-out?

Forum|Forum|5 years ago
July 22, 2020
1 reply
12897 views

Hi guys,

I have a strange problem with an IPsec between two Fortigates. Maybe someone could help me out :)

I have IPSec is running between two locations A-B. All of the settings like encryption, key life etc are on both sides the same

What happens is that after a while there is no traffic possible from A to B en from B to A

When I look in to the Fortigates the tunnel is on both sides up while no traffic can be send. It's like the tunnel is not up but the Fortigate shows something different.... Anyway to get everything work again the only thing that I have do is to uncheck Auto-negotiate in P2 click OK than check Auto-negotiate again click OK and everything is working fine again for a while..

Someone any idea? It's driving me nuts!

emnoc

New Member

two things comes to mind

1> is DPD being used if not enable it

2> set the phase2 KeepAlives on each phase-2 setting

e.g

config vpn ipsec phase2-interface

edit <ph2-name>

set keepalive enable

Ken Felix

DeftoneAuthor

New Member

Hi Ken,

Both DPD and keep alive are enabled on both ends.

emnoc

New Member

Did you check from cli? That gui screenshot does not show anything related to the question. Go into the cli and issue

show vpn ipsec phase2-interface | grep -f keepalive

Anything showing up as "disable" toggle it to "enable"

For dpd look at "diag vpn ike gateway" and the dpd counters if any? for the name ike gateway? Also check via cli

show vpn ipsec phase1-interface | grep -f dpd

Ken Felix

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded