Hi,
We recently replaced a Huawei firewall with a FortiGate at our HQ site and started seeing an intermittent IPSec issue.
Our setup is hub-and-spoke:
- HQ FortiGate acts as the hub
- Two branch FortiGates act as spokes
- All branch Internet traffic is routed through HQ
During POC testing, everything worked as expected.
IPSec tunnels came up successfully, traffic passed normally, and connectivity was stable.
After deploying into the customer environment, we noticed the following behavior after approximately 6 hours:
- IPSec tunnel status remains UP
- Phase1 and Phase2 still appear established
- Unable to ping the tunnel interface IP
- HQ LAN can no longer ping branch LAN
- Manually restarting the IPSec tunnel immediately restores traffic
DPD is enabled (on-idle, retry count 3, interval 20 seconds).
No configuration changes or reboots occur when the issue happens.
This behavior did not occur during POC and only appears in the customer environment.
Replacing Huawei with FortiGate is the main change.
At this point, we cannot conclusively determine whether upstream network devices are involved.
We are mainly looking for guidance on how to make the IPSec tunnel more resilient in this scenario.
Has anyone seen similar behavior with FortiGate IPSec?
What configuration changes or design adjustments would you recommend to prevent the tunnel from entering this state?
