FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mrinmoy
Staff
Staff
Article Id 239688
Description

This article describes that the IPSec tunnel may go down in the HA cluster after upgrading the firmware or rebooting the firewall.

 

The local firewall may try to communicate with the remote firewall using the virtual MAC as the source MAC but a reply packet from the remote firewall may come to the local firewall to the physical interface MAC address. Which is a MAC miss match and brings phase 1 down.

Scope FortiGate version 6.0 or above.
Solution

1) Try to identify the physical MAC address and virtual MAC address by executing the following command:

 

# diagnose hardware deviceinfo nic port1
[...]
System_Device_Name port1
Current_HWaddr 00:09:0F:09:00:00 <----- Virtual MAC.
Permanent_HWaddr 00:09:0F:85:AD:8B <----- Physical MAC.

 

2) Now capture the packet in detail during the phase1 negotiation from CLI or GUI:

 

# diagnose sniffer packet WAN-PORT ' host REMOTE-FIREWALL-IP and port 500' 6 0

 

Mrinmoy_1-1671028018123.png

 

3) Now open capture in Wireshark and check the miss match, if there is any mismatch, reboot the ISP modem (and upstream switch).                        Final Image.JPG

 

Related documents:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Verifying-physical-and-HA-Virtual-MAC-addr...

Contributors