I deployed 2 different customers with a 60F at their main office and 60E's at their 3 remote sites last weeks. The VPNs come up and stay up, but at random times the VPNs will just stop passing traffic. If I bring the tunnels down from the main office, things immediately come back up (due to auto-negotiate and auto-rekey being enabled) and traffic usually starts flowing right away again, but sometimes I have to bounce the tunnel on the remote device as well. These are very basic setups, which I've done many times before with 60D and 60E devices. Anyone else have issues like this with the 60F? Everything is running 6.0.9, and I'm afraid to try 6.2.3 since the known issues list is pretty long and I think it will do more harm than good to upgrade. I'm working on getting them swapped for E's to see if it is the new hardware series.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
if keepalive on?
regrads Byte
yes, auto-negotiate is enabled, which in turn appears to automatically enable auto-rekey as it shows as enabled and grayed out in the gui, so I can't de-select it in the GUI. And from what I read in https://kb.fortinet.com/kb/documentLink.do?externalID=12069, they can be used together. But when I look at the configs, I only see set auto-negotiate enable on the various phase 2's. I might have to see if I can manually enter the "set keep alive enable" command in the CLI.
So it appears I can't use "set keepalive enable" (I mistakenly had a space in my last post), if I already have "set auto-negotiate enable" in the phase 2 settings. So would that confirm that if auto-negotiate is enabled, then keepalive is automatically enabled like it appears to be in the GUI? I searched before and couldn't really find confirmation from Fortinet.
I posted in reddit too. In case anyone else is struggling with this, it appears the fix is:
config vpn ipsec phase1-interface
edit <tunnelname>
set npu-offload disable
end
Huge thanks to reddit user shsheikh and others for providing such quick responses over there!
https://www.reddit.com/r/fortinet/comments/fo98mb/site_to_site_vpn_woes_with_60f/
Hello,
I have the same problem with FG 60F ,
Did you find solution can help?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.