FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
epinheiro
Staff
Staff
Article Id 383488
Description This article describes the issue when IPsec tunnels are down and are missing from the IPsec monitor after changing the IKE TCP Port 4500.
Scope FortiGate, IPsec, FortiOS v7.4.2 through v7.4.7.
Solution

Whenever the IKE TCP port is changed, all the tunnels over UDP and TCP will be flushed automatically, may it be in v7.4.2+ or v7.6.x

 

After changing the IKE TCP Port from 4500 to any other port on FortiOS v7.4.2 through v7.4.7, one will observe that all the tunnels will go down when checking VPN > IPsec tunnels, be missing from Dashboard > Network > IPSec Monitor, and will not go up.

 

After changing, specifically, from IKE TCP 4500 to any other port, it will be necessary to restart the IKE process so that the tunnels can start working again:

 

diagnose vpn ike restart

 

This issue does not recur the next time the IKE TCP Port is changed from any port (except TCP 4500) to any other port.

 

Examples:

 

config system settings
...
    set ike-port 5000 (Default is 500)
    set ike-tcp-port 4501 (Default is 4500)
end

 

  1. Changing from IKE TCP 4500 to IKE TCP 4501, the issue will occur. Then diagnose vpn ike restart must be run on the CLI.
  2. Changing from IKE TCP 4501 to IKE TCP 4502, the issue will not recur because the change is not from IKE TCP 4500 to any other TCP port.

 

In some cases, especially for dial-up IPsec VPNs where both IKE and IKE-TCP ports have been changed, restarting the IKE process may not resolve the issue. This behavior has been fixed in v7.4.8 and v7.6.0.