Skip to main content
CRE
CRE
New Member
April 24, 2018
Question

VPN Phase 2 reconnection issue

  • April 24, 2018
  • 1 reply
  • 9022 views

Hello Everyone,

I have a strange behavior with 3 of my VPN Tunnels. The Tunnels itself are working fine when the Phase 2 connection is up. Problem I am facing the Phase 2 can only be activated/keept alive from my site. After about 10 minutes without traffic the Phase 2 is disconnected and the Branch is not able to reestablish a Phase 2 connection with my Fortigate. My workaround for the moment is to Ping the Branch every 5 Minutes to keep the Tunnel alive.

I have configured an incoming NAT for the Subnet on my Site and used IP Pools for outgoing traffic to the VPN Tunnel to mask my internal IP addresses.

I have done some Traces and debugging on the VPN but when the Phase2 is disconnected I don't see any incoming traffic from the Branch even if they try to ping my internal Servers, so I don't think it is related to the NAT I do on my site. But I have several other VPNs without NAT and they work fine.

 

We also Enabled Autokey Keep Alive and Auto-negotiate on botch ends. The Firewall in the Branches are Checkpoint and Sonicwall.

Could be a similar Problem to this unsolved issue https://forum.fortinet.com/tm.aspx?m=118085 But none of us is located or connected to AWS

    1 reply

    Iescudero
    Iescudero
    New Member
    April 24, 2018

    Hi there CRE!

    In phase1 you had Keepalive also? and Dead Peer Detection?

    And in phase2, you had (PFS) and replay detection?

     

    If the issue still ocurrs, you can set  an Ip address to each tunnel, and configure a link monitor feature, so always have a traffic between sites.

     

    emnoc
    emnoc
    New Member
    April 24, 2018

    before we go that far do you have auto-negotiate enabled on the phase2? Also are thee policy or route-based vpn?

     

     

    e.g

     

     

    config vpn ipsec phase2-interface

       edit <FGT2CHKP >

              set auto-negotiate enable

        end

    CRE
    CREAuthor
    New Member
    April 25, 2018

    Hi

    thanks for your reply. Yes auto negotiate is enabled and it is a Policy based VPN.

    In Phase 1 I have DPD and Keep Alive Enabled. In Phase 2 PFS and replay dedection is enabled. 

    Phase 1 is in State Up all the time. and I can see in the diag debug that phase 1 is kept alive. 

     

    The Workaround with Ping Monitor is already in place but in a few months one doesn't remember why this was build.

    Terms & ConditionsAccessibility statement