I'm proofing out an SD-WAN/AD-VPN configuration prior to replacing all of our site to site tunnels and have one question. Everything in my setup is working brilliantly, except that the shortcuts between the spokes seem to be persistent. I had assume that by default, they would tear down after being idle for a time? Is this the case or is it something else that needs to be configured?
I've been following Fortinet's SD-Branch Deployment Guide in building this out.
Hi @qaajak,
The following articles might help you:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-a-client-to-site-C2S-IPsec-tun...
Best regards,
I've read both of those, and after setting the idle-timeout, I noticed this strange behavior in the IPSEC monitor (a second phase 2 showing down), which made me wonder if I was doing something wrong.
Hi @qaajak,
In the output below, do you see both phase2 (up and down) or just one?
show vpn ipsec phase1-interface
show vpn ipsec phase2-interface
diag vpn ike gateway list
diag vpn ike gateway summary
diag vpn ike gateway list name <vpn-name>
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-ADVPN-with-SD-WAN-troubleshooting/ta...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-ADVPN/ta-p/199348
Best regards,
The commands "diag vpn ike gateway summary" and "diag vpn ike gateway list name <vpn-name>" are not available to me (This gate is on 7.0.14). But when I run "get vpn ipsec tunnel summary" I get "spoke1_0' [xxx.xxx.xxx.xxx]:0 selectors(total,up): 2/1 rx(pkt,err): 0/0 tx(pkt,err): 0/2". So yes, it shows one up and one down.
I'm wondering why its creating a second phase 2 if I enable idle-timeout.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.