Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HenleyAndersen
New Contributor

Have a questios? FortiOs

 

Hi all,

 

have a question..

there is an old bug in FortiOS and FortiManager that allows you to set too long Phase1 names. This can cause problems wenn the FGT runs out of space on creating new dialup instances due to enumeration

So how can I flush those enumerations the have FortiOS start anew at 0 (even if this means shutting down all currently dialled in instances to avoid enumeration conflicts)? 192168101.win 100001.dev routerlogin.win

1 REPLY 1
ede_pfau
Esteemed Contributor III

Hi,

you can 'flush' the VPN tunnel by CLI:

diagnose vpn tunnel flush my-phase1-name

See https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-flush-a-VPN-tunnel/ta-p/196631?exte...

 

But of course the way to fix this is to re-create the tunnel with a shorter phase1 name. I think the limit is 15 chars, and is well known/documented. So, 13 chars for the name plus "_0" for up to 10 users. Unfortunately, the max number of users will only be displayed on an existing tunnel.

 

For a tunnel already in use, deleting and recreating can be cumbersome. The way I do this:

- save the config to disk

- search & replace the phase1 name to something shorter

- restore this config file to the FGT - this will REBOOT the firewall!

 

Last time I checked this, I created a dialup tunnel in GUI and it displayed a warning when I entered 14 chars:

 

ede_pfau_0-1638876548794.png

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"