| Description |
This article describes that the IPSec tunnel may go down in the HA cluster after upgrading the firmware or rebooting the firewall.
The local firewall may try to communicate with the remote firewall using the virtual MAC as the source MAC but a reply packet from the remote firewall may come to the local firewall to the physical interface MAC address. Which is a MAC miss match and brings phase 1 down. |
| Scope | FortiGate version 6.0 or above. |
| Solution |
1) Try to identify the physical MAC address and virtual MAC address by executing the following command:
# diagnose hardware deviceinfo nic port1
2) Now capture the packet in detail during the phase1 negotiation from CLI or GUI:
# diagnose sniffer packet WAN-PORT ' host REMOTE-FIREWALL-IP and port 500' 6 0
3) Now open capture in Wireshark and check the miss match, if there is any mismatch, reboot the ISP modem (and upstream switch).
Related documents: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 |
