Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jochemke
New Contributor

VPN not accepting new connections

Hi all,

 

since our update to firmware 7.0.2 we are experiencing issues while trying to login on our VPN. 

At random times our VPN stops accepting new connections. Users who are already connected (32 at the moment) can keep using the VPN like there is no problem. Users who want to connect to VPN receive an error saying the connection details or the credentials are wrong (which are correct and validated). After a reboot or HA failover the VPN starts accepting new connections again. 

 

It is worth noting that our CPU usage is at about 50-70% but our memory usage is at 89-90%. 

 

3 REPLIES 3
sw2090
Honored Contributor

if it is a dial up you might have run into the same isse I ran into today again. 

I consider this a bug in FortiOS (and FMG). On dial up tunnel names FortiOS ufortunately does not subtract the space it needs for the enumeration of the dial up instances from the maximal length of the tunnel name. This allows you to set too long tunnel names. And this can result in the FGT running out of space for the name due to enumerating plus length limit for tunnel names.  If that happens no new instances can be established. 

A reboot of the FGT will obviously make it loose the enumeration cache and it will start at zero again...

Maybe you simply try to shorten the name of your tunnel? That would be the easiest fix for this issue (allthough it still is annoying since Fortinet never implemented renaming of objects like interfaces or tunnels in FortiOS. So you have to delete all references and then the tunnel and then recreate them vice versa.

 

Btw this is an old bug that already existed in 6.0 or earlier and still exists...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Julien87
New Contributor III

Hi, 

yes, I had this problem on dynamic phase (shortcut) the limit is 15 character for the name of the phase. 

And the error message is not 'explicit'.

you can check the number of character for phase2.

 

Best Regards,

 

Julien

Julien
Harbib
Staff
Staff

The memory usage might be a contributing factor towards the connection not being accepted especially should the FGT enter conserve mode.  You can try resolving the memory usage to a lower value first and test the connection again

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-do-initial-troubleshooting-of...