Skip to main content
RogerDingoDing
RogerDingoDing
Visitor III
December 1, 2024
Question

IPSEC Tunnel intermittent drops to Azure connection

  • December 1, 2024
  • 1 reply
  • 4223 views

hi

 

we have an IPSEC tunnel configured on our fortigate FW which is linked to Azure.

this tunnel has intermittent connectivity drop outs and its affecting production servers/users and what they are doing.

as far as I can tell the phase 1 and phase 2 settings are correct at both ends. 
this includes the pre shared key, DPD, algorithms, diffie-hellman group, key lifetime for phase 1 and 2 and the PFS.

based on the fact that the VPN is on for most of the time and the drops are intermittent, this would indicate that the settings are correct otherwise the connection would not be established... am i correct in saying this?

 

i have noticed that we DO NOT have auto-negotiate or Autokey Keep Alive enabled on this tunnel. Not sure if this is required? but ive read some posts indicating that this is a useful feature to enable.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536

fortigate details

Fortigate 1800F

v7.2.9 build 1688

 

the time stamps for these drops match up with what we are seeing on the azure side

this is what were seeing on the fortigate, in Azure we can see the VPN connection has gone down. 

fortigate-vpnevents.jpg

 

how do we get more detailed information as to what is triggering the tunnel to go down? or as stated in the logs, the tunnel is renegotiating.. what is causing this?

whats the best way to get more detailed information about this?

 

question about DPD, what should this be configured as? weve been advised by a 3rd party that this should be set to on-idle.... is on demand the better option?

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-IPsec-VPN/ta-p/192616

 

 

 

any suggestions/advice will be greatly appreciated!

 

 

cheers

    1 reply

    sjoshi
    Staff
    sjoshi
    Staff
    December 1, 2024

    Hi,

     

    Can you please try disabling the NPU and check the status

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPSec-traffic-is-offloaded-for-improved/ta-p/193493

     

    Recommended to do in off hours as disabling NPU will flap the tunnel

    Salon Raj Joshi | #NSE8-003459
      RogerDingoDing
      RogerDingoDingAuthor
      Visitor III
      December 1, 2024

       

      hey

       

      so ive checked the npu setting as instructed in the article.

      when i run 

      show vpn ipsec phase1-interface <tunnel name>
      the set npu-offload setting is NOT configured

       

      when i run the diag vpn tunnel list command

      looking at the tunnel in question, i can see the following npu info.


      npu_flag=03

       

      this would indicate that the traffic is being offloaded correctly?

      can you please confirm if we still need to enable the npu-offload setting?

      sjoshi
      Staff
      sjoshi
      Staff
      December 1, 2024

      Hi @RogerDingoDing,

       

      The NPU command will be available:-

      config vpn ipsec phase1-interface

      edit <phase1_name>

      get

       

      this would indicate that the traffic is being offloaded correctly? >> yes

       

      can you please confirm if we still need to enable the npu-offload setting? >> I would request you to disable the NPU offload and see the status. Even if the issue is still presents that will isolate NPU causing any issue

       
       
       
      Salon Raj Joshi | #NSE8-003459
        Terms & ConditionsCookie settingsAccessibility statement