Skip to main content
techonenl
techonenl
New Member
July 14, 2022
Question

IPSEC tunnel breaks when HA fails over

  • July 14, 2022
  • 4 replies
  • 3517 views

Hello,

 

We experience an issue where we have 2 Fortigate clusters in the same datacenter.

We have an Fortigate 100F cluster in Active-Passive with an IPSEC tunnel towards an Fortigate 60F cluster in Active-Passive.

 

Both are running the 6.4.9 firmware.

When the 100F cluster is running on the primary, traffic is passing along the IPSEC tunnel fine.

As soon as I failover the 100F cluster to the passive firewall, traffic stops passing (in both directions) along the tunnel. When I failover the 60F firewalls, this issue does NOT occur, and traffic keeps on passing.

 

The HA setup is the same, except for the 100F cluster which runs VDOM's (the IPSEC tunnel is NOT in the root VDOM) and the 60F cluster does NOT.

 

Anyone has seen this before and has the solution?

This issue does NOT occur when we failover the 60F cluster.

4 replies

AEK
SuperUser
AEK
SuperUser
July 14, 2022

Did you try to enable "session pickup" in HA config?

Well I'm not certain this will fix it but it's worth a try.

AEK
techonenl
techonenlAuthor
New Member
July 14, 2022

Hi,

 

Yes, this feature has been enabled.

I also have enabled the set ha-sync-esp-seqno enable feature on the 100F cluster.

 

The strange part is: it only breaks when failing over the 100F cluster.

When failing over the 60F cluster everything keeps working fine.

 

I have also tried flushing the VPN tunnel after the failover, that doesn't help either.

 

Regards,

pacionet
pacionet
New Member
December 25, 2025

Same problem.

Did you find any solutions?

 

Thanks

AEK
SuperUser
AEK
SuperUser
January 7, 2026

Which firmware version?

AEK
pacionet
pacionet
New Member
January 8, 2026

Both 7.4.9

Andy_Kash
Andy_Kash
New Member
January 31, 2026

Hi, I know it is old message, but I had the same issue. The Problem is related to Phase2 setting "set replay enable" and should be disabled. When replay is enabled it tracks secuence numners on recieving end, but when HA Failover happends secuence number changes and as result recieving end rejects esp traffic.

Terms & ConditionsAccessibility statement