Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tungnx59
New Contributor II

Created on ‎12-20-2024 08:07 PM Edited on ‎12-20-2024 09:04 PM

ADVPN Shortcut stuck in delete SA phase 1

Hi all, 

My situation:

I run SDWAN use ADVPN BGP on loopback between HQ and 4 branches, HQ is Hub and Branches is spokes.

When Branch 1 talk to Branch 2. Spoke -  Spoke tunnel is established successfully, I set up tunnel idle timeout, and tunnel is down after 10 minutes, if no traffic, it's good.

But, I have Br03 and Br04, they always talk each others, so Spoke-Spoke tunnel will not down after 10 minutes (it's correct). 

I set Lifetime phase 1 :1days and Lifetime phase 2: 12 Hours. And I saw trouble here:

 - After 1 days. spoke-spoke  tunnel between Br03 and Br04 is re-established but it has trouble, I saw in logs, it's stucked at action: delete_phase1_sa , around 5 minutes.  And after around 5 minutes, tunnel  spoke - spoke is not iusse, it working fine. And I saw log, after 5 minutes, Sopke-spoke only down.

 

During 5 minutes, the trouble make loss connection between Br03-Br04.

 

My connections: each BR has 2 ISP lines, BR03 tunnel of ISP1 connect to BR04 tunnel of ISP1, same: BR03 ISP2 <--> BR04 ISP2 , using IKEv2, and  all Firewall FGTs are using FortiOS 7.4.4.

 

Actually, I still don't understand what is wrong? Hope get suggestion , thanks so much !

Labels:
133
0 Kudos
2 REPLIES 2
kaman
Staff
Staff

Created on ‎12-21-2024 02:06 AM

Hi tungnx59,

The deletion of the Phase 1 SA is part of the rekeying process. The log message confirms that the VPN tunnel’s existing SA has been removed to allow a new SA to be negotiated. This is a common practice in IPsec VPNs to refresh encryption keys or when SA lifetimes expire. The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection.

Please refer to the below document for more information:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Understanding-IPsec-Phase1-SA-Deleted-Log-...


70
tungnx59
New Contributor II
In response to kaman

Created on ‎12-22-2024 07:50 AM

Thanks for your reply,

I dont understand, why do "The FortiGate continues to manage traffic while ensuring that the negotiation of a new SA does not interrupt the VPN connection ", this action make loss connection between 2 sites . Maybe BGP can not update routes via Spoke - Spoke tunnel during  IPSEC rekey.

And i saw error log at start time of issue: the FGT 03 recieved SPI error from FGT04 with 4500 

 

Capture.PNG

 

you can see a lot of message of delete SA phase 1. After ~5 mintues, this situation is finishied  and tunnel spoke-spoke is fine.

29
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.