Hey everyone,
I'm working with a FortiGate 40F setup, using an ADVPN with IPsec to connect 1 hub and 2 spokes. For routing internal traffic through the ADVPN tunnel, I'm relying on SD-WAN rules and SLA checks.
Just to add some context, I'm using my ISP’s WAN interface as the ADVPN tunnel interface, and it’s set up to get an IPv6 address from FortiGuard. That part is working smoothly—no issues with IPv6 or IPv4 internet connectivity at all.
The problem:I’m experiencing a consistent packet loss between 30% and 70% on the ADVPN tunnel interfaces, as indicated by the SD-WAN SLA ping checks. This packet loss is specific to the ADVPN tunnel interfaces, while other connections seem unaffected.
What I have tried out:
MTU adjustments (to 1380) ~~not working
Enabled FEC on one of the device ~~not working
Are there anything else i should try? I’d really appreciate any insights or advice!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @ctyctyctctcty
Try running a sniffer on the source and destination side to see where the loss is occurring.
dia sniffer packet "host x.x.x.x and icmp" 4 0 l
Try using the above command, where x.x.x.x is the source IP address that you have on performance SLA. Run the sniffer command on the source as well as on destination FortiGate if both sides are FortiGate.
Check if one side is sending and other side is not receiving or other side receives but the returning traffic is not reaching the original source?
Hello @Umer221
I checked the VPN event logs on the hub, and it looks like whenever one tunnel (like to Spoke-A) connects, the other tunnel (to Spoke-B) disconnects. This keeps happening back and forth, so only one tunnel is active at any time, which is causing around 50% packet loss.
Phase 1 seems fine, but something seems off with Phase 2. I’ve attached a screenshot showing this pattern in the logs. Here’s the current Phase 2 config on all three devices:
set phase1name "xxxxxx"
set proposal aes128-sha256
set keepalive enable
Could you give me some suggestions about this?
Thank you!
Thank you for responding @ctyctyctctcty,
Could you check how the destination is responding configured in the Performance SLA? How SD-WAN is configured and what are the priorities.
The Phase 1 setup seems stable, but Phase 2 is where the problem arises.
This issue requires detailed analysis. I would recommend reaching out to TAC support for in-depth troubleshooting, as this issue requires in depth troubleshooting.
@Umer221
Disabling the add-route option in the VPN configuration resolved the issue.
Thank you for your guidance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.