Hi all,
My situation:
I run SDWAN use ADVPN BGP on loopback between HQ and 4 branches, HQ is Hub and Branches is spokes.
When Branch 1 talk to Branch 2. Spoke - Spoke tunnel is established successfully, I set up tunnel idle timeout, and tunnel is down after 10 minutes, if no traffic, it's good.
But, I have Br03 and Br04, they always talk each others, so Spoke-Spoke tunnel will not down after 10 minutes (it's correct).
I set Lifetime phase 1 :1days and Lifetime phase 2: 12 Hours. And I saw trouble here:
- After 1 days. spoke-spoke tunnel between Br03 and Br04 is re-established but it has trouble, I saw in logs, it's stucked at action: delete_phase1_sa , around 5 minutes. And after around 5 minutes, tunnel spoke - spoke is not iusse, it working fine. And I saw log, after 5 minutes, Sopke-spoke only down.
During 5 minutes, the trouble make loss connection between Br03-Br04.
My connections: each BR has 2 ISP lines, BR03 tunnel of ISP1 connect to BR04 tunnel of ISP1, same: BR03 ISP2 <--> BR04 ISP2 , using IKEv2, and all Firewall FGTs are using FortiOS 7.4.4.
Actually, I still don't understand what is wrong? Hope get suggestion , thanks so much !
Hi tungnx59,
The deletion of the Phase 1 SA is part of the rekeying process. The log message confirms that the VPN tunnel’s existing SA has been removed to allow a new SA to be negotiated. This is a common practice in IPsec VPNs to refresh encryption keys or when SA lifetimes expire. The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection.
Please refer to the below document for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-IPsec-Phase1-SA-Deleted-Log-...
Thanks for your reply,
I dont understand, why do "The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection ", this action make loss connection between 2 sites . Maybe BGP can not update routes via Spoke - Spoke tunnel during IPSEC rekey.
And i saw error log at start time of issue: the FGT 03 recieved SPI error from FGT04 with 4500
you can see a lot of message of delete SA phase 1. After ~5 mintues, this situation is finishied and tunnel spoke-spoke is fine.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.