Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pginete
Staff
Staff

Created on ‎09-27-2023 02:31 AM Edited on ‎09-27-2023 05:22 AM By Moderator

Article Id 276164

Troubleshooting Tip: Traffic getting load balanced via an IPsec VPN tunnel after FortiGate Azure HA failover

Description

This article describes how to fix the traffic that is getting load balanced via an IPsec VPN tunnel between the devices in an HA Cluster on FortiGate Azure.
Scope FortiGate.
Solution

The setup is HA active-passive using unicast FortiGate Clustering Protocol (FGCP) HA with external and internal Azure load balancer (LB).

 

pginete_0-1695783990837.png

 

After an HA failover, some traffic via the IPsec VPN tunnel is working and some is getting dropped. The traffic is actually getting load balanced between devices in the HA Cluster.

 

As a workaround, it will be advised to flush the IPsec VPN tunnel on FortiGate.

diag vpn tunnel flush name <tunnel_name>

 

If there are multiple IPsec tunnels affected, restart the IKE process as follows:

   diag vpn ike restart

 

In order to fix the issue permanently, modify the Session persistence of Azure External Load Balancer to Client IP and protocol.

Configure the distribution mode for Azure Load Balancer

Azure Load Balancer distribution modes

 

The traffic over an IPsec VPN tunnel will now work as expected and will not get load-balanced after an HA failover.

 

1175
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.