FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the solution when hub-and-spoke ADVPN (mode-cfg) tunnels down after upgrade to FortiOS 7.4.9+ when assign-ip is enabled on the spoke and the tunnel IP is manually configured
Scope
FortiOS 7.4.9+.
Solution
The issue occurs when both conditions below are present:
The IPsec tunnel interface has a manually assigned overlay IP address (as in a normal ADVPN design).
The Phase1-interface has Mode-CFG enabled with assign-ip enable.
Example of configuration:
config system interface edit "ADVPN-HUB1" set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.1 255.255.255.255
end
config vpn ipsec phase1-interface edit "ADVPN-HUB1" set mode-cfg enable set assign-ip enable
end
Symptoms:
All spoke VPN connections to the hub are down after the upgrade.
IKE debug on the spoke shows an error similar to'connection expiring due to mode-cfg client IPv4 error FortiGate'.
Solution:
Before the upgrade, change the spoke configuration to the following:
config vpn ipsec phase1-interface edit <Phase1-Name> set assign-ip disable unset mode-cfg next end
