Skip to main content
TrippB
TrippB
New Member
November 16, 2020
Question

IPSEC Tunnel Auto Restart

  • November 16, 2020
  • 1 reply
  • 12509 views

One of my customers is running an IPSEC tunnel between their FG and a vendor's system.  I do not know what the remote side is running.  Starting last week, the tunnel has been dropping for unknown reasons.  Neither of us shows a reason in our logs.  I haven't gotten beyond teir 1 on their end but that person chats with 2 or 3.  It was a worthless call.  Our side simply reports phase 2 down.  It may come back up on its own within a few hours or it may stay down until one of us restarts it.  After the phase 2 down message, there are no failure messages between there and the restart.  I suspect Spectrum may be having issues and causing the drop but can't prove anything yet.  All I have to do is hit bring up and it immediately comes back up.  There's no issue to troubleshoot.  But here's what I really need:  Why doesn't the tunnel immediately try to come back up on its own?  How do I get it to begin to renegotiate as soon as it detects it went down?  I'm running 5.6.13.  

    1 reply

    Michael01
    Michael01
    New Member
    November 16, 2020

    Hello,

     

    You need to set the auto negotiation in phase 2 to bring up the vpn connection automatically.

     

    For your reference:

     

    https://kb.fortinet.com/k...nk.do?externalID=12069

     

    Thanks

     

     

    TrippB
    TrippBAuthor
    New Member
    November 17, 2020

    After typing 'end' in that command set, I get the following:

     

    node_check_object fail! for phase1name is empty.
    Attribute 'phase1name' MUST be set.
    Command fail. Return code -56

     

    I haven't found exactly how I'm supposed to get the phase 1 name in this config.

    If I do:

       config vpn ipsec phase2

       edit myPhase2Name

       set phase1name myPhase1Name

    I'm greeted by the following:

    entry not found in datasource
     
    value parse error before 'myPhase1Name'
    Command fail. Return code -3

     

    I'm assuming the phase 1 name is the same as the VPN name in the GUI. 

     

     

     

    boneyard
    boneyard
    Valued Contributor
    November 18, 2020

    you probably want to start with

     

    config vpn ipsec phase2-interface

     

    so add -interface

     

    if you aren't using interface based VPNs try looking at using those, it is the default and works fine in almost all cases.

      Terms & ConditionsAccessibility statement