Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Firmware 7.4.3

Dear All,


Recently I upgraded my Fortigate 200F HA active-passive to the latest firmware 7.4.3 after upgraded ipsec VPN connections become unstable and keep drop from time to time.


Anyone facing the same issue? what is the solutions?



Have you check on the VPN logs for any error? Try disable NPU offload on this tunnel and gather debugs.


config vpn ipsec phase1-interface

edit <tunnel name>

set npu-offload disable




#diagnose debug application ike -1

#diagnose vpn ike log-filter dst-addr4 <>

#diag debug enable


Correction: Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

See troubleshooting steps:

dont forget to disable debug (diag debug disable) and re-enable npu offload on the tunnel once you capture debug during the issue.

New Contributor II

Hi hjezzapaula,


The ipsec vpn tunnels status is established but connection will intermittent.   

New Contributor II

After I break the HA and configured as standalone, vpn connection back to normal and stable.


Hi @georgewfl,


Have you noticed HA failovers when the issue is occurring? Please refer to


It is an IPsec tunnel to another FortiGate or a third party firewall?


Have you checked the VPN Event logs to see if there is any errors? 



New Contributor

We are seeing the EXACT same thing on our 100F.  Ever since we updated to 7.4.3 our 11 other locations have been dropping randomly.  This is beyond ridiculous to have to upgrade the firmware due to vulnerabilities to then have to deal with constant issues after the fact.  I would like to know from Fortinet when this will be fixed.  Dropping HA is NOT the correct answer.  We rely on HA.

Contributor II

Is this going to be fixed any time soon, or is there a valid workaround that does not involve disabling hardware acceleration or disabling HA?

New Contributor II

Same, we've been disabling npu offloading as the issues come up. best support has had is upgrade to the latest as they come out. That or call in when the tunnel is down which is usually when they're under heavy call volume and my users are waiting for us to bounce the tunnel to bring back up. 


101f, 81f, 60f, 40f models. 

Top Kudoed Authors