I am in the process of configuring a new hub for our ADVPN-BGP environment. When I we were using FortiOS 7.0.8 it work worked with very few issues, but now in 7.0.10 I run into nothing but issues. When I run a ping from spoke to spoke, the first attempt will give me 2 successful pings and then die. If do an exec router clear bgp all and clear the table, will get successful pings for about 10 seconds and then it dies again.
So I run diagnose vpn ike log filter mdst-addr4 x.x.x.x y.y.y.y on each of the spokes and I when the pings are successful I see what I am supposed to see, but in the same ping the connection dies, I get:
2023-03-09 12:01:55 id=20085 trace_id=139 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-00001185, original direction"
2023-03-09 12:01:55 id=20085 trace_id=139 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EDW_ADVPN_0, tun_id=0.0.0.0"
2023-03-09 12:01:55 id=20085 trace_id=139 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EDW_ADVPN_0"
2023-03-09 12:01:55 id=20085 trace_id=139 func=ipsec_common_output4 line=780 msg="SA is not ready yet, drop"
2023-03-09 12:01:55.070820 ike 0:EDW_ADVPN_0:EDW_ADVPN: IPsec SA connect 3 172.150.149.106->x.x.x.x:4500
2023-03-09 12:01:55.070832 ike 0:EDW_ADVPN_0:EDW_ADVPN: using existing connection
2023-03-09 12:01:55.070837 ike 0:EDW_ADVPN_0:EDW_ADVPN: traffic triggered, serial=1 1:172.50.40.3:2048->1:10.21.35.1:0
2023-03-09 12:01:55.070841 ike 0:EDW_ADVPN:EDW_ADVPN: config found
2023-03-09 12:01:55.070845 ike 0:EDW_ADVPN: request is on the queue
2023-03-09 12:01:56.070602 ike 0:EDW_ADVPN_0:EDW_ADVPN: IPsec SA connect 3 172.150.149.106->x.x.x.x:4500
2023-03-09 12:01:56.070621 ike 0:EDW_ADVPN_0:EDW_ADVPN: using existing connection
2023-03-09 12:01:56.070627 ike 0:EDW_ADVPN_0:EDW_ADVPN: traffic triggered, serial=1 1:172.50.40.3:2048->1:10.21.35.1:0
2023-03-09 12:01:56.070632 ike 0:EDW_ADVPN:EDW_ADVPN: config found
2023-03-09 12:01:56.070635 ike 0:EDW_ADVPN: request is on the queue
2023-03-09 12:01:56 id=20085 trace_id=140 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 172.50.40.3:7168->10.21.35.1:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=7168, seq=4."
I don't understand why it dies like that. Any help would very appreciated.
Thank you.
Solved! Go to Solution.
I am, but found a work around. If I set a static route in the remote Fortigate to where I am trying to get to, the tunnel stabilizes. A Static route I think shouldn't be necessary, but it works.
Hello underscoresAndDashes,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello,
I have found this documentation:
https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/978793
Could you please tell me if it helped?
If not, did you try to upgrade to the 7.2 version?
Regards,
I am, but found a work around. If I set a static route in the remote Fortigate to where I am trying to get to, the tunnel stabilizes. A Static route I think shouldn't be necessary, but it works.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.