VPN Site-to-Site between FGT and Cisco FTD

Forum|Forum|1 year ago
July 8, 2024
2 replies
1987 views

Hi community,

We have configured site-to-site VPN between FTD and FGT, the VPN is up and works but suddenly after few days traffic stops from one side even tho VPN is still up, as show0n in the screenshot

The only way to fix is to delete all the configuration from FGT and FTD and reconfigure again.

I would appreciate any kind of help to fix this.

I tried to upgrade FTD and FGT but no the problem is the same.

site-to-site issue.png

FortiGate

hbac

Staff

Hi @bledian,

You can try disabling npu-offload and see if it helps. https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/636026/disabling-np-offloading-for-individual-ipsec-vpn-phase-1s

Regards,

pdelapena

Staff

Hi @bledian ,

Instead of recreating the tunnels, have you tried just flushing them in FortiGate side?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-flush-a-VPN-tunnel/ta-p/196631

Try to check if there are differences in the key lifetime for both phase1 and phase2.

While the issue is happening, it is best to do some debugs to understand more what is happening.
CLI session 1 :
diag vpn ike log-filter dst-addr4 x.x.x.x ------------where x.x.x.x is the remote gatewayIP
diag debug app ike -1
diag debug enable

Then open new CLI sessions with sniffer and debug flow commands and do test simulation by pinging from source to destination.
CLI session 2 :
diag sniff packet any 'host <source IP> and host <destination IP> and icmp' 4 0 l

CLI session 3 :
diag debug flow filter saddr <source IP>
diag debug flow filter daddr <dest IP>
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 100

Regards,

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded