Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
UnderscoresAndDashes
New Contributor III

ADVPN in FortiOS 7.0.10

        I am in the process of configuring a new hub for our ADVPN-BGP environment. When I we were using FortiOS 7.0.8 it work worked with very few issues, but now in 7.0.10 I run into nothing but issues. When I run a ping from spoke to spoke, the first attempt will give me 2 successful pings and then die. If do an exec router clear bgp all and clear the table, will get successful pings for about 10 seconds and then it dies again. 

 

So I run diagnose vpn ike log filter mdst-addr4 x.x.x.x y.y.y.y on each of the spokes and I when the pings are successful I see what I am supposed to see, but in the same ping the connection dies, I get:

 

2023-03-09 12:01:55 id=20085 trace_id=139 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-00001185, original direction"
2023-03-09 12:01:55 id=20085 trace_id=139 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EDW_ADVPN_0, tun_id=0.0.0.0"
2023-03-09 12:01:55 id=20085 trace_id=139 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EDW_ADVPN_0"
2023-03-09 12:01:55 id=20085 trace_id=139 func=ipsec_common_output4 line=780 msg="SA is not ready yet, drop"
2023-03-09 12:01:55.070820 ike 0:EDW_ADVPN_0:EDW_ADVPN: IPsec SA connect 3 172.150.149.106->x.x.x.x:4500
2023-03-09 12:01:55.070832 ike 0:EDW_ADVPN_0:EDW_ADVPN: using existing connection
2023-03-09 12:01:55.070837 ike 0:EDW_ADVPN_0:EDW_ADVPN: traffic triggered, serial=1 1:172.50.40.3:2048->1:10.21.35.1:0
2023-03-09 12:01:55.070841 ike 0:EDW_ADVPN:EDW_ADVPN: config found
2023-03-09 12:01:55.070845 ike 0:EDW_ADVPN: request is on the queue
2023-03-09 12:01:56.070602 ike 0:EDW_ADVPN_0:EDW_ADVPN: IPsec SA connect 3 172.150.149.106->x.x.x.x:4500
2023-03-09 12:01:56.070621 ike 0:EDW_ADVPN_0:EDW_ADVPN: using existing connection
2023-03-09 12:01:56.070627 ike 0:EDW_ADVPN_0:EDW_ADVPN: traffic triggered, serial=1 1:172.50.40.3:2048->1:10.21.35.1:0
2023-03-09 12:01:56.070632 ike 0:EDW_ADVPN:EDW_ADVPN: config found
2023-03-09 12:01:56.070635 ike 0:EDW_ADVPN: request is on the queue
2023-03-09 12:01:56 id=20085 trace_id=140 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 172.50.40.3:7168->10.21.35.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=7168, seq=4."

 

I don't understand why it dies like that. Any help would very appreciated. 

 

Thank you. 

1 Solution
UnderscoresAndDashes
New Contributor III

I am, but found a work around. If I set a static route in the remote Fortigate to where I am trying to get to, the tunnel stabilizes. A Static route I think shouldn't be necessary, but it works. 

View solution in original post

4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello underscoresAndDashes,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

I have found this documentation:

 

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/978793

 

Could you please tell me if it helped?

 

If not, did you try to upgrade to the 7.2 version?

 

Regards,

Anthony-Fortinet Community Team.
UnderscoresAndDashes
New Contributor III

I am, but found a work around. If I set a static route in the remote Fortigate to where I am trying to get to, the tunnel stabilizes. A Static route I think shouldn't be necessary, but it works. 

Top Kudoed Authors