Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ezhupa
Staff
Staff

Created on ‎11-09-2023 06:23 AM Edited on ‎04-23-2025 10:05 PM By Community Manager

Article Id 283504

Technical Tip: Dial-up IPsec flapping issues after upgrading v7.2.6 and v7.0.13

Description This article describes issues with multiple dial-up IPsec VPNs on the HUB after upgrading to 7.0.13 or 7.2.6.
Scope FortiGate.
Solution When having a FortiGate act as a HUB/Dialup Server with multiple spokes/dial-up clients and the clients have overlapping phase2 selectors, for example, 0.0.0.0/0, it is possible to experience flapping issues. 

Currently, the solutions would be:
  1. Configure specific phase2 selectors to avoid subnet overlapping (avoid using 0.0.0.0/0 on all spokes/dial-up clients).

  2. If routing either static or dynamic is already in place, disable 'add-route' under phase1 configuration as by default it is enabled (on Spoke FortiGate).

    config vpn ipsec phase1-interface
        edit <name of phase1>
            set add-route disable
    end

  3. Allow route-overlap under phase2 configuration on HUB/Dialup Server.

    config vpn ipsec phase2-interface
        edit <name of phase2>
            set route-overlap allow
    end


After performing these changes the issue should be resolved.

The changes in default behavior are outlined in the release notes of v7.2.6 and v7.0.13.


In the case of multiple IPsec Tunnels on the same public interface, adding local IDs and peer IDs can prevent the Dialup Client from connecting to the wrong IPsec Tunnel. 

 

Related documents:

7.0.13 Release notes

7.2.6 Release notes

Technical Tip: dynamic vpn add-route and subnet overlap
Technical Tip: Allowing multiple IPSec dial-up connection from same source IP
Troubleshooting Tip: Connectivity issue between Dialup hub FortiGate and multiple Dial-in client For...
Troubleshooting Tip: IPsec flapping or packet loss after upgrade FortiGate to v7.0.13, v7.2.6, v7.4....
16544
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.