Skip to main content
alexburtt
alexburtt
New Member
August 13, 2015
Question

IPSec VPN stops passing traffic

  • August 13, 2015
  • 4 replies
  • 33082 views

Hi,

 

I have a site to site IPSec VPN tunnel, the local end is a Fortigate 40c and the remote is a Cisco ASA.

 

The Phase 2 has 36 separate network subnets, hence 36 separate tunnels I guess.

 

The VPN traffic to the remote end will suddenly stop and the connection appears to drop. To rectify it I run the diag vpn tunnel reset and everything comes straight back up.

 

Could it be a key life time out issue? Phase 1 is set to 28800 and Phase 2 is set to 7200

 

Or could it be the session ttl ?

 

Sorry it's a bit vague but if anyone can assist let me know what info you need an would be happy to provode.

 

thanks

 

Alex..

    4 replies

    alexburtt
    alexburttAuthor
    New Member
    August 17, 2015

    BUMP

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 17, 2015

    Hello Alex,

     

    First, see, how often the issue occurs, if it is at regular intervals, like every 6 hours and also if the same behavior is seen for all the phase2's.

     

    Enabling auto-negotiate or Keep alive can help, they are explained in the below KB:

     

    http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=12069

     

    You may have to use 'config vpn ipsec phase2-interface' if it is a route based vpn

     

    Hope that helps.

    alexburtt
    alexburttAuthor
    New Member
    August 17, 2015

    Hi,

     

    Thanks for your reply.

     

    The time between the down time is random, seems to be no pattern to it.

     

    Can be 30 mins to 4 hours.

     

    Keep Alive and Auto Negotiate are both enabled on all the phase 2's for this particular tunnel. This behaviour only affects all phase 2's for this particular tunnel. I have other tunnels on this unit for other site to site IPsec VPNs which do not exhibit this behaviour, which again do have Keep alive and Auto negotiate enabled.

     

    Thanks

    Alex.

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    August 20, 2015

    It is worth to enable DPD on both ends.

     

    - Also, please get the event logs of the Fortigate when the tunnel goes down.

     

    JLatta80
    JLatta80
    New Member
    November 12, 2015

    Did you have any luck fixing this issue? I'm experiencing the same issue and have found nothing to fix it. I have multiple Fortinets going back to my ASA at corporate but only 1 of them is having this issue where it says the tunnel is active but doesn't pass any traffic. The only fix that I have is administratively bring down the VPN and then bringing it back up.

     

    Right now I do not have any rhyme or reason this is happening but of course it happens at night when traffic is low but that shouldn't kill the tunnel.

    emnoc
    emnoc
    New Member
    November 13, 2015

    The cisco and DPD is a hit and missed and badly support between the two bottom line it's not compatible.

     

    When the  tunnels are down, run diag sniffer packet for the vpn-gateway and see if any packets are being sent and any response?

     

    As an alternative, you can build a ikev2 policy on the cisco and running ikev2 on your FGT tunnels. IKEv2 supports DPD natively and you might have better luck. Cisco ASA has supported IKEv2 go back to to 9.0 code or maybe earlier.

     

     

     

     

     

     

    Terms & ConditionsAccessibility statement