Dear All,
Recently I upgraded my Fortigate 200F HA active-passive to the latest firmware 7.4.3 after upgraded ipsec VPN connections become unstable and keep drop from time to time.
Anyone facing the same issue? what is the solutions?
Hi,
Have you check on the VPN logs for any error? Try disable NPU offload on this tunnel and gather debugs.
config vpn ipsec phase1-interface
edit <tunnel name>
set npu-offload disable
end
debug:
#diagnose debug application ike -1
#diagnose vpn ike log-filter dst-addr4 <>
#diag debug enable
Correction: Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
See troubleshooting steps: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
dont forget to disable debug (diag debug disable) and re-enable npu offload on the tunnel once you capture debug during the issue.
Hi hjezzapaula,
The ipsec vpn tunnels status is established but connection will intermittent.
After I break the HA and configured as standalone, vpn connection back to normal and stable.
Hi @georgewfl,
Have you noticed HA failovers when the issue is occurring? Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-in-HA-Environment/ta-p/195849
It is an IPsec tunnel to another FortiGate or a third party firewall? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Some-known-IPSec-VPN-issues-between/...
Have you checked the VPN Event logs to see if there is any errors?
Regards,
We are seeing the EXACT same thing on our 100F. Ever since we updated to 7.4.3 our 11 other locations have been dropping randomly. This is beyond ridiculous to have to upgrade the firmware due to vulnerabilities to then have to deal with constant issues after the fact. I would like to know from Fortinet when this will be fixed. Dropping HA is NOT the correct answer. We rely on HA.
Is this going to be fixed any time soon, or is there a valid workaround that does not involve disabling hardware acceleration or disabling HA?
Same, we've been disabling npu offloading as the issues come up. best support has had is upgrade to the latest as they come out. That or call in when the tunnel is down which is usually when they're under heavy call volume and my users are waiting for us to bounce the tunnel to bring back up.
101f, 81f, 60f, 40f models.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.