VPN Tunnel stays up but not traffic passing from our end

Question

We have site to site VPN from Fortigate to Cisco. The issue started out with DPD errors with tunnel dropping. We have corrected that issue. The issue we're experiencing now is the tunnel stays up but we aren't able to send traffic to other end and traffic stops flowing. I've noticed this happens between a rekey. This happens every eighteen hours.

We've tried playing with settings by turning off DPD and back on. I increased the lifetime seconds on P2 to 86400 to see if that will alleviate the issue. We're natting a public IP for interesting traffic to their public subnets in P2 selectors. I create a IP pool for that IP that allows everything from my internal network.

Is anyone experiencing the same issue?

Toshi_Esumi · Answer

If you run IKE debug on the Cisco and FGT at the time the key expired, you should be able to see what failed.

But when we were using Cisco/FGT IKEv1 IPsec years ago we had some problem with DPD between them. So we disabled DPD and used IP SLA from the cisco side to keep the tunnel up. After migrated to IKEv2 DPD(INFORMATIONAL exchange) doesn't seem to cause problems so we're enabling it.

Also, I would suggest disabling anti-replay feature on both sides to see if it makes any difference in the debugging.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded