Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ctyctyctctcty
New Contributor II

Created on ‎11-03-2024 04:26 PM

ADVPN Tunnel Packet Loss Issues

Hey everyone,

I'm working with a FortiGate 40F setup, using an ADVPN with IPsec to connect 1 hub and 2 spokes. For routing internal traffic through the ADVPN tunnel, I'm relying on SD-WAN rules and SLA checks.

Just to add some context, I'm using my ISP’s WAN interface as the ADVPN tunnel interface, and it’s set up to get an IPv6 address from FortiGuard. That part is working smoothly—no issues with IPv6 or IPv4 internet connectivity at all.

The problem:I’m experiencing a consistent packet loss between 30% and 70% on the ADVPN tunnel interfaces, as indicated by the SD-WAN SLA ping checks. This packet loss is specific to the ADVPN tunnel interfaces, while other connections seem unaffected.

What I have tried out:
MTU adjustments (to 1380) ~~not working
Enabled FEC on one of the device ~~not working

Are there anything else i should try? I’d really appreciate any insights or advice!
image.png




Labels:
414
0 Kudos
4 REPLIES 4
Umer221
Staff
Staff

Created on ‎11-04-2024 02:41 PM

Hello @ctyctyctctcty 

Try running a sniffer on the source and destination side to see where the loss is occurring.

dia sniffer packet "host x.x.x.x and icmp" 4 0 l

 

Try using the above command, where x.x.x.x is the source IP address that you have on performance SLA. Run the sniffer command on the source as well as on destination FortiGate if both sides are FortiGate.
Check if one side is sending and other side is not receiving or other side receives but the returning traffic is not reaching the original source?

360
0 Kudos
ctyctyctctcty
New Contributor II

Created on ‎11-04-2024 06:04 PM

Hello @Umer221 

I checked the VPN event logs on the hub, and it looks like whenever one tunnel (like to Spoke-A) connects, the other tunnel (to Spoke-B) disconnects. This keeps happening back and forth, so only one tunnel is active at any time, which is causing around 50% packet loss.

Phase 1 seems fine, but something seems off with Phase 2. I’ve attached a screenshot showing this pattern in the logs. Here’s the current Phase 2 config on all three devices:

 

set phase1name "xxxxxx"

set proposal aes128-sha256
set keepalive enable

Could you give me some suggestions about this?

Thank you!

image.pngimage.png

334
0 Kudos
Umer221
Staff
Staff

Created on ‎11-06-2024 07:59 AM

Thank you for responding @ctyctyctctcty,

 

Could you check how the destination is responding configured in the Performance SLA? How SD-WAN is configured and what are the priorities.

 

The Phase 1 setup seems stable, but Phase 2 is where the problem arises.


This issue requires detailed analysis. I would recommend reaching out to TAC support for in-depth troubleshooting, as this issue requires in depth troubleshooting.

271
0 Kudos
ctyctyctctcty
New Contributor II

Created on ‎11-10-2024 11:16 PM

@Umer221 
Disabling the add-route option in the VPN configuration resolved the issue.
Thank you for your guidance.

176
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.