Skip to main content
iKris
iKris
Visitor III
August 20, 2025
Question

Random Packet Loss through VPN Connection

  • August 20, 2025
  • 3 replies
  • 1016 views

i am using 2 FG61F (7.4.8 Mature) with IPSEC IKEv1 Tunnel to same HUB which is not under my care. Config is basically default with no more additional config.

 

First FG (let say FG-A) , no issue , all is working properly

but FG-B had issue with Packet Loss , it happens at random time & no pattern. Tunnel is up , no error log. i already enable ike debug to monitor but no output in process.

 

i wonder if anyone had issue similar to mine , i have tried everything but still no luck , the only way to make tunnel stable is to zero the traffic by cut lan connection. Thanks before.

3 replies

kaman
Staff
kaman
Staff
August 20, 2025

Hi iKris,

Please check if DDOS policy is configured in your FortiGate.

Common Causes of IPSec VPN Disconnections.

Dead Peer Detection (DPD).


DPD is a mechanism that detects when a VPN peer is no longer responsive. When a tunnel becomes idle (no traffic passing through), DPD begins sending "Are You There?" probes to verify if the peer is still active.


Also, to determine if NPU offloading is causing disconnection issues, temporarily disable it for the problematic tunnel:

config vpn ipsec phase1-interface
edit "tunnel-name"
set npu-offload disable
end


Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-and-Troubleshooting-IPSec-VPN/ta-p/397214


Please check if there is dynamic IPSec interfaces in redundancy, with IKE used to install a route static into the table through the Phase 2 selectors negotiated. Refer to the document below:


https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-flapping-or-packet-loss-after-upgrade/ta-p/284890


If the issue still persists, run the debug flow filter logs also once during the time of issue and then check the behaviour


Regards!

    iKris
    iKrisAuthor
    Visitor III
    August 20, 2025

    Hi Thanks for answer.

    VPN is not disconnected but experience packet loss with seq 5-10x before recover itself ( i do ping from Forti to HUB PTP IP) . No debug output during "timeout" process and do command "diagnose vpn tunnel flush ipsec1-tunnel" will speedup the recovery ( no need to wait 5-15 seq ).

    i will  give a try with npu-offload disable.

    kaman
    Staff
    kaman
    Staff
    August 20, 2025

    Hi iKris,

    Yes, please try with npu-offload disable and let us know the behaviour.

    Regards!

      xuanelu1
      xuanelu1
      New Member
      August 20, 2025

      Solution found, edited it into the top of my post! This may no longer be VPN relevant but I figured I should leave it up so a future moron like myself can endure less pain.

      Terms & ConditionsAccessibility statement