Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anoushiravan
Staff
Staff

Created on ‎10-30-2025 06:27 AM

Article Id 398890

Troubleshooting Tip: VPN disconnection issue when using the same IP pool on different dialup IPsec tunnels on FortiGate

Description

This article describes the reason behind the user VPN disconnection issue when the same IP pool is enabled under multiple dynamic IPsec tunnels, with a different user group enabled on each IPsec tunnel.
Scope FortiGate.
Solution

The same IP pool cannot be used on multiple IPsec tunnels on FortiGate, If configured then only one user will be able to connect to the VPN at the time, this means the first connected VPN user will be disconnected once the second VPN user connected to the VPN, this is expected behavior when the users from different groups is going to use the same IP pool.

 

During the IKE notation, IKE daemon will map the IPsec tunnel to the user based on enabled user group in phase1, and once the user is successfully authenticated, first available IP from the IP pool will be assigned to the user, and when a second user connects to the VPN and is successfully authenticated the IKE daemon will try to assign the first IP from the IP pool of the tunnel to the second user by releasing the first IP from the first connected VPN user. As a result, the first connected VPN user will be disconnected, and the second VPN user will connect to the VPN.

 

Below is the config example with two different user groups (local users and LDAP group) and the debug output that shows the first connected VPN user is disconnected from the VPN as soon as the second VPN user is connected to the VPN when the same IP pool is configured on both tunnels.

 

  • Two different user groups for each IPsec tunnel:

 

config user local
   edit "tester"
        set type password
        set passwd *****
   next
end


config user group
   edit "ldap.users"
        set member "fortiserver.ldap" "zilan"
        config match
            edit 1
               set server-name "fortiserver.ldap"
               set group-name "CN=ldap.group,DC=fortiserver,DC=com"
       next
   edit "local.users"
        set member "tester"
    next
end

 

  • Two IPsec tunnels with different user groups in phase 1:

 

config vpn ipsec phase1-interface
  edit "fct.1"
       set type dynamic
       set interface "port4"
       set mode aggressive
       set mode-cfg enable
       set proposal aes128-sha256 aes256-sha256 
       set xauthtype auto
       set authusrgrp "local.users" <-----
       set ipv4-start-ip 10.180.1.1
       set ipv4-end-ip 10.180.1.10
       set psksecret ENC ESywuF***** 
   next
end

 

config vpn ipsec phase1-interface
    edit "fct.2"
        set type dynamic
        set interface "port4"
        set mode aggressive
        set mode-cfg enable
        set proposal aes128-sha1 aes256-sha1
        set xauthtype auto
        set authusrgrp "ldap.users" <-----
        set ipv4-start-ip 10.180.1.1
        set ipv4-end-ip 10.180.1.10
        set psksecret ENC nHAEM/GvwL7KP/dEu*****
    next
end

 

As seen in the below ike debug output, the first VPN user is connected to the VPN, the IKE daemon assigns the first IP 10.180.1.1 from the IP pool to the VPN user (local user):

 

2025-06-30 13:59:39.847399 ike V=root:0:fct.1:1720: add route 10.180.1.1/255.255.255.255 gw 10.180.1.1 oif fct.1(1364) metric 15 priority 1
2025-06-30 13:59:39.849412 ike V=root:0:fct.1_0:1065:fct:1720: tunnel 1 of VDOM limit 0/0
2025-06-30 13:59:39.850493 ike V=root:0:fct.1_0:1065:fct:1720: add IPsec SA: SPIs=14b059d8/08b06a3f

 

FortiGate # diagnose vpn ike gateway list

vd: root/0
name: fct.1_0
version: 1
interface: port2 6
addr: 10.109.19.113:500 -> 10.122.5.128:500
tun_id: 10.180.1.1/::10.0.0.19
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 169.254.1.1 -> 169.254.1.1
created: 6s ago
xauth-user: tester  <-----
2FA: no
peer-id: 10.122.5.128
peer-id-auth: no
FortiClient UID: C8EB53AFF0A8481882EF763955C9092B
assigned IPv4 address: 10.180.1.1/255.255.255.255  <-----
pending-queue: 0
IKE SA: created 1/1 established 1/1 time 100/100/100 ms
IPsec SA: created 1/1 established 1/1 time 190/190/190 ms

id/spi: 1065 120a6649c20e9794/1c30a00c2ba187b8
direction: responder
status: established 6-6s ago = 100ms
proposal: aes128-sha256
key: 5d8b2466c41d7f85-fae71cfef9600e36
QKD: no
lifetime/rekey: 86400/86123
DPD sent/recv: 00000000/00000000
peer-id: 10.122.5.128

 

As soon as the second VPN user (LDAP user) is connected to the VPN, the first connected VPN user (local user) is disconnected from the VPN since the IKE daemon released the first assigned IP from the user and assigned the same IP to the second VPN user (LDAP user):

 

2025-06-30 13:59:54.413386 ike V=root:0:fct.2_0:1066:fct.2:1727: add dynamic IPsec SA selectors 282
2025-06-30 13:59:54.414564 ike V=root:0:fct.2_0:1066:fct.2:1727: added dynamic IPsec SA proxyids new 1 282
2025-06-30 13:59:54.415801 ike V=root:0:fct.1:1720: moving route 10.180.1.1/255.255.255.255 oif fct.1(1364) metric 15 priority 1 to 0:fct.2:1727 <----- Move the route from first VPN fct.1 to the second VPN fct.2.
2025-06-30 13:59:54.417456 ike V=fct.1:0:fct.1:1720: del route 10.180.1.1/255.255.255.255 tunnel 10.180.1.1 oif fct.1(1364) metric 15 priority 1
2025-06-30 13:59:54.419296 ike V=root:0:fct.1_0: going to be deleted
2025-06-30 13:59:54.420487 ike V=root:0:fct.1_0: sent tunnel-down message to EMS: (fct-uid=C8EB53AFF0A8481882EF763955C9092B, intf=fct.1_0, addr=10.180.1.1, vdom=root)
2025-06-30 13:59:54.422350 ike V=root:0:fct.1_0: flushing
2025-06-30 13:59:54.423117 ike V=root:0:fct.1_0: deleting IPsec SA with SPI 08b06a3f
2025-06-30 13:59:54.424176 ike V=root:0:fct.1_0:fct: deleted IPsec SA with SPI 08b06a3f, SA count: 0
2025-06-30 13:59:54.425347 ike V=root:0:fct.1_0: sending SNMP tunnel DOWN trap for fct
2025-06-30 13:59:54.426830 ike V=root:0:fct.1_0: remote selector down event 10.180.1.1 (devidx=1364)
2025-06-30 13:59:54.428239 ike V=root:0:fct.1_0:fct: delete
2025-06-30 13:59:54.429029 ike V=root:0:fct.1_0:1065: send IPsec SA delete, spi 14b059d8
2025-06-30 13:59:54.430114 ike 0:fct.1_0:1065: enc 120A664

9C20E97941C30A00C2BA187B8081005

01E441B633000000500C000024D5617C3DDE8449AEF88C4694

22BD0873FC28666AF8032E9215C89232

4505BE1C00000010000000010304000114B059D8
2025-06-30 13:59:54.432439 ike 0:fct.1_0:1065: out 120A664

9C20E97941C30A00C2BA187B808100

501E441B6330000005C9977BFF9F70F9DCD7082819D

C20BC8316F3F612B0C02EA3D54F420F5A92B7A7DC224D1266B

1B87760A7F45F5EBD136A465F225AB

3918796BE38CF2D80C9E88C0
2025-06-30 13:59:54.435019 ike V=root:0:fct.1_0:1065: sent IKE msg (IPsec SA_DELETE-NOTIFY): 10.109.19.113:500->10.122.5.128:500, len=92, vrf=0, id=120a6649c20e9794/1c30a00c2ba187b8:e441b633
2025-06-30 13:59:54.437177 ike V=root:0:fct.1_0: flushed
2025-06-30 13:59:54.438008 ike V=root:0:fct.1_0:1065: send IKE SA delete 120a6649c20e9794/1c30a00c2ba187b8
2025-06-30 13:59:54.439259 ike 0:fct.1_0:1065: enc 120A6649C20E97941C30A00C2BA187B80810

050182665BFC0000005C0C000024BEC713AF8080C6D4

11978A305D2D08FEA815B2A73D428CC6ED68D777BA7F738400

00001C0000000101100001120A664

9C20E97941C30A00C2BA187B8
2025-06-30 13:59:54.441758 ike 0:fct.1_0:1065: out 120A6649

C20E97941C30A00C2BA187B808100

50182665BFC0000006C916BBBFE1D142202387846F7

3B6364B1B8BDF65A20C152F3D5CA9CCFFE276E89B86F6C912B

0A192FC24F937E0B54EA2AF5F4B86F

2878E336B7471B916068CA3342671622AC0D7E3D2725975F95288805
2025-06-30 13:59:54.462476 ike V=root:0:fct.1_0:1065: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 10.109.19.113:500->10.122.5.128:500, len=108, vrf=0, id=120a6649c20e9794/1c30a00c2ba187b8:82665bfc
2025-06-30 13:59:54.464700 ike V=root:0:fct.1_0: mode-cfg release 10.180.1.1/255.255.255.255
2025-06-30 13:59:54.465800 ike V=root:0:fct.1_0: delete dynamic
2025-06-30 13:59:54.466634 ike V=root:0:fct.2:1727: add route10.180.1.1/255.255.255.255 gw 10.0.0.12 oif fct.2(1362) metric 15 priority 1 <-----  The route was added for the second VPN user of the VPN fct.2 

 

FortiGate # diagnose vpn ike gateway list

vd: root/0
name: fct.2_0
version: 1
interface: port4 11
addr: 10.109.19.113:4500 -> 10.109.16.64:9617
tun_id: 10.0.0.12/::10.0.0.20
remote_location: 0.0.0.0
network-id: 0
transport: UDP
virtual-interface-addr: 169.254.2.1 -> 169.254.2.1
created: 9s ago
xauth-user: zilan  <----- LDAP user.
2FA: no
peer-id: 10.118.3.214
peer-id-auth: no
FortiClient UID: 4897A97BBF32403C9DACF0DF89F21D36
assigned IPv4 address: 10.180.1.1/255.255.255.255  <-----
nat: peer
pending-queue: 0
IKE SA: created 1/1 established 1/1 time 100/100/100 ms
IPsec SA: created 1/1 established 1/1 time 260/260/260 ms

id/spi: 1066 8a5abd1521b732e4/06fdab9ad00b7825
direction: responder
status: established 9-9s ago = 100ms
proposal: aes128-sha1
key: 34c00c7ea485f460-7dee000b38608c1a
QKD: no
lifetime/rekey: 86400/86120
DPD sent/recv: 00000000/00000000
peer-id: 10.118.3.214
122
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.