Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jminard
New Contributor

60F IPSEC VPN Stops passing traffic

I deployed 2 different customers with a 60F at their main office and 60E's at their 3 remote sites last weeks. The VPNs come up and stay up, but at random times the VPNs will just stop passing traffic. If I bring the tunnels down from the main office, things immediately come back up (due to auto-negotiate and auto-rekey being enabled) and traffic usually starts flowing right away again, but sometimes I have to bounce the tunnel on the remote device as well. These are very basic setups, which I've done many times before with 60D and 60E devices. Anyone else have issues like this with the 60F? Everything is running 6.0.9, and I'm afraid to try 6.2.3 since the known issues list is pretty long and I think it will do more harm than good to upgrade. I'm working on getting them swapped for E's to see if it is the new hardware series. 

5 REPLIES 5
ByterunnerHome
New Contributor

Hi,

if keepalive on?

regrads Byte

jminard

yes, auto-negotiate is enabled, which in turn appears to automatically enable auto-rekey as it shows as enabled and grayed out in the gui, so I can't de-select it in the GUI. And from what I read in https://kb.fortinet.com/kb/documentLink.do?externalID=12069, they can be used together. But when I look at the configs, I only see set auto-negotiate enable on the various phase 2's. I might have to see if I can manually enter the "set keep alive enable" command in the CLI.

jminard

So it appears I can't use "set keepalive enable" (I mistakenly had a space in my last post), if I already have "set auto-negotiate enable"  in the phase 2 settings. So would that confirm that if auto-negotiate is enabled, then keepalive is automatically enabled like it appears to be in the GUI? I searched before and couldn't really find confirmation from Fortinet.

jminard

I posted in reddit too. In case anyone else is struggling with this, it appears the fix is:

 

config vpn ipsec phase1-interface

edit <tunnelname>

set npu-offload disable

end

 

Huge thanks to reddit user shsheikh and others for providing such quick responses over there! 

 

https://www.reddit.com/r/fortinet/comments/fo98mb/site_to_site_vpn_woes_with_60f/

Bider
New Contributor

Hello,

I have the same problem with FG 60F ,

Did you find solution can help?

Labels
Top Kudoed Authors