Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssudhakar
Staff
Staff

Created on ‎01-05-2022 11:55 AM Edited on ‎02-17-2022 08:57 AM By Community Manager

Article Id 202624

Technical Tip: 'IPSec load-balance setting changes after upgrading to v6.2.6/6.4.6 onwards'

Description

This article describes the changes in the IPSec load-balance setting from v6.2.6/6.4.6 onwards.

 

IPSec load-balancing is enabled on FortiGate 6000 series and disabled on FortiGate 7000 series by default until v6.2.4/v6.4.2 and this config was part of the load-balance setting as below.

 

# config load-balance setting

   set ipsec-load-balance {disable | enable}

end

 

From v6.2.6/6.4.6 IPSec load balancing is tunnel based. One can set the load balance strategy for each tunnel when configuring phase1-interface options:

 

# config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot {master | auto | FPM3 | FPM4 | FPM5 | FPM6}

end

 

While upgrading to v6.2.6/6.4.6 from any older versions, the IPSec load-balance configuration is expected to migrate based on the customer setting. Users might run into upgrade issues when using 6.2.6 or 6.2.7 or 6.4.2 as an intermediate path while upgrading to higher versions. It is recommended to use v6.2.9 as an interim version.
Scope

Fortigate 6000/7000 series, v6.2.6/6.4.6 onwards
Solution
  • If ipsec-load balance setting is disabled prior to the upgrade, after upgrading to 6.2.6/6.4.6 onwards, the ipsec-tunnel-slot should be changed to master under ipsec phase-1 config.

Version 6.0/until 6.2.4

Version  6.2.6/6.4.6 onwards

# config load-balance setting

set ipsec-load-balance disable

end

 

# config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot master 

end

 

 

  •  If ipsec-load balance setting is enabled prior to upgrade, after upgrading to 6.2.6/6.4.6 onwards, the ipsec-tunnel-slot should be changed to auto under ipsec phase-1 config.

 

Version 6.0/until 6.2.4

Version  6.2.6/6.4.6 onwards

# config load-balance setting

set ipsec-load-balance enable

end

 

# config vpn ipsec phase1-interface

edit <name>

set ipsec-tunnel-slot auto 

end

 

      

  •  If the IPSec traffic is not working as expected after upgrade, please check the ipsec-tunnel-slot config.

Upgrade path:

If a user is planning on upgrading to 6.4.6, please use a 6.2.9 version as an intermediate path, avoid using 6.4.2 as this version currently has few known issues on ipsec load-balancing.

 

 

Hint : #https://docs.fortinet.com/document/fortigate/6.2.6/fortigate-6000-and-fortigate-7000-release-notes/2...

 

 

***Special note on IPsec tunnel sourced from a virtual interface such as loopback/npu-link

 

Case 1: If the customer had IPsec tunnel Load-balance disabled prior to the upgrade, the upgrade procedure will automatically set the tunnel to master. IPsec tunnel support on the virtual-interface should work fine If the ESP and UDP 4500 flow rule were already configured before the upgrade. But if there was no flow rule before the upgrade, then please manually create those flow rules after upgrade.

 

Case 2: If the customer had IPsec tunnel Load-balance enabled prior to the upgrade, the upgrade procedure will automatically set the tunnel to auto. IPsec tunnel support on the virtual-interface should work fine if there was no flow-rule for ESP and UDP 4500 configured prior to the upgrade.

 
Labels:
993
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.