Skip to main content
stich86
stich86
New Member
January 16, 2025
Question

Strange IPSec behavior with Watchguard

  • January 16, 2025
  • 3 replies
  • 2767 views

Hello guys,

 

this is my first time working with Fortigate appliance. I’ve a cluster of two F201, with two IPSec tunnel, one with Azure Cloud, and one with an external customer with a WatchGuard firewall. Azure tunnel has no issue (strange :grinning_face_with_sweat:), while the other one has a very particulate behavior. Both of them in IKEv2 with AES256/SHA256.

 

If I start a ping from local to remote side using that tunnel, there is an high packet loss, but after about 40s of pinging the tunnel become stable, until it goes back to idle, and again another 40s and so one. It’s not a phase 2 flapping, because from the diag the SA is up for hours. What I’m missing?


Any help is really appreciated 

 

thanks!

3 replies

pathofbuilding
pathofbuilding
New Member
January 17, 2025

your IPSec tunnel to the external WatchGuard firewall is experiencing initial packet loss followed by stabilization, while the Azure tunnel works fine. This could be due to issues like NAT or firewall misconfigurations, MTU or MSS clamping problems causing fragmentation, or route lookup delays on the WatchGuard side. Although Phase 2 is stable, re-keying or intermittent route delays might cause the initial packet loss. I recommend checking the NAT-T settings, verifying MTU/MSS configurations, reviewing the routing and firewall settings, and analyzing the logs for any issues during the tunnel setup phase.

stich86
stich86Author
New Member
January 17, 2025

there is no NAT, both firewalls are using public IP. Also MTU\MSS sounds strange because we are talking about smaller packet (64 byte ping).

 

Any suggestion on which debug that I can run on the Fortigate?

 

Thanks!

AEK
SuperUser
AEK
SuperUser
January 17, 2025

Hi Stich

Did you try disable ASIC offload for IPsec?

 

config vpn ipsec phase1-interface
  edit phase-1-name
    set npu-offload disable
  end
end

config system global
  set ipsec-asic-offload disable
end

 

AEK
stich86
stich86Author
New Member
January 17, 2025

Yes, I've tried but same behaviour

stich86
stich86Author
New Member
January 23, 2025

Just an update.. after change on WireGuard side the tunnel form “domain” to “route” based (but in my side still “domain”), the strange behavior has disappeared…

 

the TAC is still asking useless log.. support is very weird :(

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 23, 2025

    Hi @stich86 ,

     

    Not sure what is the "domain" tunnel form.

     

    On FortiGate, we have mainly two types:  Policy Based, or Route Based (AKA Interface Based) IPSec VPN tunnel.

    stich86
    stich86Author
    New Member
    January 23, 2025

    Sorry coming from other firewall vendors, domain = policy :)

    Terms & ConditionsAccessibility statement