Description

This article describes how to avoid downtime on a Dial-up IPsec tunnel when performing an uninterruptible upgrade. In this case, it is due to Dial-up IPsec SAs not being synced when the original primary took over the primary role.

Scope

FortiGate.

Solution

Network Topology:

FGT1 and FGT2 on HA (Dialup Server) -> IPsec -> FGT3 (Dial-up Client) 

• FGT1 - original primary.
• FGT2 - original secondary.

FortiGate HA Configuration:

FGT1:

config system ha

    set mode a-p

    set hbdev "ha" 0

    set session-pickup enable

    set session-pickup-connectionless enable

    set override enable

    set priority 200

    set override-wait-time 60 # 60 seconds or 1 minute before the original primary will take over the primary role. This value is configurable.

end

 FGT2:

config system ha

    set mode a-p

    set hbdev "ha" 0

    set session-pickup enable

    set session-pickup-connectionless enable

    set override disable

end

1. Before an upgrade, IKE and IPSEC SAs are synced.

FGT1 # get sys status
Version: FortiGate-501E v7.2.9,build1688,240813 (GA.M)
.......
Current HA mode: a-p, primary

FGT1 # diag vpn ike gateway list

.......

IKE SA: created 1/1 established 1/1 time 10/10/10 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 0 68e43e0e0aa042c9/04ebea46bce47d75
direction: responder
status: established 1505-1505s ago = 10ms
proposal: aes256-sha256
key: 4e150faebe95ec5c-65a676a801c243ca-4e512928ed216ef3-eab4757b75686564

lifetime/rekey: 86400/85324
DPD sent/recv: 0000000d/00000000
peer-id: remotes1

FGT1 # diag vpn tunnel list
.......
dec: spi=5f8d54c2 esp=aes key=32 fe0e288a964229351c2c596ac06d81d976700c44cea0e215fe0878a8e28f49fa
ah=sha256 key=32 03ea9dc019f9c5069dd51e4e27320cfe2b720a9f7cf2ae5ed4d973b5c6b52aa8
enc: spi=55a319d2 esp=aes key=32 d7623a626c64cb457f835af8ce969276ea1d024a3bfa9e5b22b5be02ad72b11c
ah=sha256 key=32 f4c609b2f6dc4cf4660373fefe6e05e315d03c6103d895d8feb6c13062c7b69b
.......

FGT2 # get sys status
Version: FortiGate-501E v7.2.9,build1688,240813 (GA.M)
.......
Current HA mode: a-p, secondary

FGT2 # diag vpn ike gateway list

.......
 id/spi: 0 68e43e0e0aa042c9/04ebea46bce47d75
 direction: responder
 status: established 1512-1512s ago = 10ms
 proposal: aes256-sha256
 key: 4e150faebe95ec5c-65a676a801c243ca-4e512928ed216ef3-eab4757b75686564
 lifetime/rekey: 86400/85315
 DPD sent/recv: 00000000/00000000
 peer-id: remotes1

FGT2 # diag vpn tunnel list
.......
dec: spi=5f8d54c2 esp=aes key=32 fe0e288a964229351c2c596ac06d81d976700c44cea0e215fe0878a8e28f49fa
ah=sha256 key=32 03ea9dc019f9c5069dd51e4e27320cfe2b720a9f7cf2ae5ed4d973b5c6b52aa8
enc: spi=55a319d2 esp=aes key=32 d7623a626c64cb457f835af8ce969276ea1d024a3bfa9e5b22b5be02ad72b11c
ah=sha256 key=32 f4c609b2f6dc4cf4660373fefe6e05e315d03c6103d895d8feb6c13062c7b69b
.......

2. Upload the image or initiate the upgrade on FGT1 (original primary). FGT2 will be upgraded and rebooted.
   
   
3. FGT2 comes up. IKE and IPsec SAs will be synced to FGT2. FGT2 will take the primary role.
   
   
4. FGT1 will be upgraded and rebooted. FGT1 comes up. IKE and IPsec SAs will be synced to FGT1.
   
   
5. FGT1 will take the primary role after 30 seconds. IKE and IPsec SAs are still the same before and after the upgrade.

FGT1 # get sys status
Version: FortiGate-501E v7.2.10,build1706,240918 (GA.M)
.......
Current HA mode: a-p, primary
.......

FGT1 # diag vpn ike gateway list
.......
id/spi: 0 68e43e0e0aa042c9/04ebea46bce47d75
direction: responder
status: established 2399-2399s ago = 10ms
proposal: aes256-sha256
key: 4e150faebe95ec5c-65a676a801c243ca-4e512928ed216ef3-eab4757b75686564
lifetime/rekey: 86400/83730
DPD sent/recv: 00000001/00000981
peer-id: remotes1

FGT1 # diag vpn tunnel list
.......
SA: ref=3 options=224 type=00 soft=0 mtu=1438 expire=40786/0B replaywin=0
seqno=30000001 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=41132/41144
dec: spi=5f8d54c2 esp=aes key=32 fe0e288a964229351c2c596ac06d81d976700c44cea0e215fe0878a8e28f49fa
ah=sha256 key=32 03ea9dc019f9c5069dd51e4e27320cfe2b720a9f7cf2ae5ed4d973b5c6b52aa8
enc: spi=55a319d2 esp=aes key=32 d7623a626c64cb457f835af8ce969276ea1d024a3bfa9e5b22b5be02ad72b11c
ah=sha256 key=32 f4c609b2f6dc4cf4660373fefe6e05e315d03c6103d895d8feb6c13062c7b69b
.......

FGT2 # get sys status
Version: FortiGate-501E v7.2.10,build1706,240918 (GA.M)
.......
Current HA mode: a-p, secondary
.......

FGT2 # diag vpn ike gateway list
.......
id/spi: 0 68e43e0e0aa042c9/04ebea46bce47d75
direction: responder
status: established 2400-2400s ago = 10ms
proposal: aes256-sha256
key: 4e150faebe95ec5c-65a676a801c243ca-4e512928ed216ef3-eab4757b75686564
lifetime/rekey: 86400/83729
DPD sent/recv: 00000000/00000980
peer-id: remotes1

FGT2 # diag vpn tunnel list
.......
SA: ref=3 options=224 type=00 soft=0 mtu=1280 expire=40786/0B replaywin=0
seqno=40000001 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=41274/41286
dec: spi=5f8d54c2 esp=aes key=32 fe0e288a964229351c2c596ac06d81d976700c44cea0e215fe0878a8e28f49fa
ah=sha256 key=32 03ea9dc019f9c5069dd51e4e27320cfe2b720a9f7cf2ae5ed4d973b5c6b52aa8
enc: spi=55a319d2 esp=aes key=32 d7623a626c64cb457f835af8ce969276ea1d024a3bfa9e5b22b5be02ad72b11c
ah=sha256 key=32 f4c609b2f6dc4cf4660373fefe6e05e315d03c6103d895d8feb6c13062c7b69b
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
.......

6. Disable HA override on FGT1.

FGT1 # config sys ha
FGT1 (ha) # set override disable
FGT1 (ha) # end

Related article:

• Technical Tip: HA override wait timer
• Technical Tip: FortiGate HA upgrade procedure and the status during the upgrade