Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Honored Contributor

IPSec Dialup Tunnel enumeration reset?



there is an old bug in FortiOS and FortiManager that allows you to set too long Phase1 names. This can cause problems wenn the FGT runs out of space on creating new dialup instances due to enumeration.


This means: 

when you create a dial up ipsec tunnel named "dial_up1" then each dial up instance will be added with a number. So the first will bei dial_up1_0 then and so on. Now if your phase1 name is too long it can happen that this exceeds the length limit for phase1 names that is there in Fortinet. 

I do not understand why for ages fortinet did not implement handling of this limit for dial up tunnels. 
FMG seems not to handle that at all. The FortiGate does handle it for phase1 names in general but does not implement that - if it is a dial up tunnel - it has to reserve up to 4 digits (1000 conurrent possible connections) for enumeration.

Also it looks to me as if the FGT keeps enumerating on and does not flush the enumeration once that tunnel instance goes down. Instead it even caches that somewhere because even after flushing phase1 the incoming connections on that tunnel still get the same enumeration.


So how can I flush those enumerations the have FortiOS start anew at 0 (even if this means shutting down all currently dialled in instances to avoid enumeration conflicts)?


Additionally it is unfortunately impossible to simply rename the tunnel via FMG or FortiOS. In FOrtiOS you cannot at all. FMG lets you rename it in device manager but cannot roll that out because internally that means it would delete the tunnel and recreate it with new name instead of renaming it.  The only way to correct hat would be to delete all references and then the tunnel, recreate it with new shorter name and then recreate all the references...


"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams