Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gab_FTNT
Staff & Editor
Staff & Editor

Created on ‎02-26-2025 09:19 PM Edited on ‎02-27-2025 06:46 AM By Moderator

Article Id 379107

Technical Tip: Different methods to bring down an IPsec tunnel after a WAN connectivity failure

Description This article provides different methods to bring down an IPsec tunnel after the parent WAN interface goes down.
Scope FortiGate.
Solution Bringing down an IPsec tunnel after a WAN interface link failure is important to ensure that traffic failover to the secondary tunnel. This article is meant for a redundancy setup with two WAN connections with an underlying IPsec tunnel as followed.

cap1.PNG
HQ1_to_WH1 is the primary tunnel and HQ2_to_WH2 is the secondary. All traffic to destination 10.10.2.0/24 is sent to HQ1_to_WH1 because the route has a lower distance (10).

Capture2.PNG
Solution:
Note that each solution listed below achieves the same result and does not have to be configured simultaneously.

  1. Configure DPD to send a probe to the remote site: Configuring-DPD-dead-peer-detection-on-IPsec-VPN.
                                        
    DPD.PNG
    This method ensures that when traffic fails to pass through the tunnel, the IPsec tunnel will be brought down when reaching the retry count.

  2. Configure Link-Monitor to remove the static route when a remote IP on the other side stop responding.


Capture3.PNG
When the remote IP stops responding, FortiGate will remove the route from his routing-table which will bring the tunnel down.

 

  1. Configure an automation stitch to issue a command to shut down the tunnel when the WAN interface status changes. The Trigger for the stitch is when a log is generated with a field 'msg' matching 'Link monitor: Interface port1 was turned down'.

 

Simply replace the Interface port with the one used for WAN.


Trigger.PNG
The Action for the stitch is issuing the command 'diagnose vpn tunnel flush HQ1_to_WH1' in this example.


Simply replace the tunnel name with the tunnel concerned.

Action.PNG
Create the Stitch using both the previously created Trigger and Action.

 

Stitchh.PNG
When the link fails, in this case port1, the stitch will be executed immediately to clear the IPsec tunnel.

This can be confirmed by unplugging the wire from the port to simulate a link fail and running the following debug.

diagnose debug cli 8
diagnose debug enable

The output will show the command issued by the Automation Stitch.


Debug.PNG

 
950
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.