IPsec S2S Tunnel Up but No Traffic Until Manual Restart (FortiGate 80F MikroTik)

Question

Hello,I have a Site-to-Site IPsec VPN between a Fortinet FortiGate 80F and a MikroTik router.Phase1 and Phase2 parameters match on both sides. The tunnel shows status = up, but no traffic passes until I manually restart the tunnel on the FortiGate.After restart:Traffic works normallySA counters increaseBoth directions pass trafficAfter some time, traffic stops again while:Phase1 remains upDPD status is OKNo config changes are madeIn diagnose vpn tunnel list, sometimes I see:proxyid_num=0 / child_num=0orasymmetric counters (only enc or only dec increasing)Is it possible for Phase1 to stay up while Phase2 becomes unusable?Could this be related to NPU offloading or replay protection?FortiOS version: 7.4.11Any guidance would be appreciated.#FortiGate

vinodhini · Answer

Generate some traffic over IPSEC vpn tunnel and collect the debug flow output

SSH session 1:

diagnose debug console timestamp enable
diagnose debug flow filter addr <destination-IP>
diagnose debug flow filter proto <1 or 17 or 6> (optional) where 1=ICMP, 6 = TCP, 17 = UDP…
diagnose debug flow show iprope enable
diagnose debug flow trace start 1000

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-site-to-site-tunnel/ta-p/195672

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded