Help
FortiDDoS
FortiDDoS protects from both known and zero day attacks with very low latency. It’s easy to deploy and manage, and includes comprehensive reporting and analysis tools.
arleniscg
Staff
Staff

Created on ‎03-11-2025 12:05 AM Edited on ‎08-08-2025 08:56 AM By Moderator

Article Id 381456

Technical Tip: Troubleshooting IPsec VPN packets drops after upgrade to version 7.0.3

Description This article describes the troubleshooting steps if traffic over IPsec VPN show drops or stops working after the FortiDDoS upgrade to version 7.0.3.
Scope FortiDDoS F.
Solution
  1. Take a sniffer L6 on the Firewall and validate if UDP traffic is sending 0x000. Note that the checksum of empty UDP packets is required to be 0xfff, as FDD is inspecting after the upgrade also this type of packet if the firewall is sending the wrong format, will be required to adjust on FortiDDoS, only on the Firewall-SPP.

IP Profile (see IP Profile Overview - FortiDDOS-F handbook) -> UDP Empty Checksum Check (disable this option).

 

Note: On the rest of the SPP keep this option enabled.

 

  1. If the problem is still present adjust the IPsec-related sys_reco value related to port 50, 4500. 

     

 

FDD1.png

FDD0.png

 

  • Delete it, then create a custom for this specific IPsec port and adjust the value as required. 

 

FDD3.png

 

Note: Validate logs/drops on Layers 3, 4, and 7 related to UDP/Firewall-SPP to decide if a large threshold is required.

 

  1. If the problem is still present, open a case with the Fortinet TAC Team (Technical Tip: FortiDDoS commands to open a new ticket to TAC). 
305
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.