Hi,
we use FortiGate at a lot of customers and monitor everything using PRTG Network Monitor (latest version 22.3.79.2108).
I found out today that if I monitor traffic in IPsec site2site tunnels I get strange results.
Here is a concrete example.
FortiGate 100F (6.4.9). There is one IPsec tunnel on the WAN interface to the central FortiGate 200F (6.4.10). All traffic is routed to the IPsec tunnel, nothing passes to the internet directly through the WAN.
This graph is from the WAN interface:
and this graph is from an IPsec tunnel:
As you can see there is a huge difference.
But I am unable to determine when this monitoring problem started. I tried deleting and recreating the problematic sensors but that didn't fix the problem. I also tried using SNMPv3 instead of SNMPv2 and also no luck.
I always considered IPsec tunnels as a classic interface (and that's how the PRTG program also approached it) and it always worked.
Has anyone encountered a similar problem? Other interfaces (physical, vlans or SSL) are displayed correctly via SNMP.
And I also registered that if I view the IPsec tunnel widget on FGT, I only see one direction.
Thank you.
Jirka
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
nobody?
What OID are you using to get the data for that IPSec interface?
Created on 09-27-2022 11:43 AM Edited on 09-27-2022 12:16 PM
Hi Graham,
I´dont know what OID are used.
I always selected the "SNMP Traffic" template in PRTG, scanned the FortiGate and it showed me all available interfaces for monitoring - incl. IPsec tunnels, VLAN, SSL interface. There was never problem with it.
It looks like this:
All this still works now, with the difference that the data read using SNMP does not correspond to the real load of the IPsec interface.
Can you provide me with a valid OID for traffic and unicast packet monitoring for the IPsec interface? I would try adding it manually.
Edit: I found one historic BUG in version 6.2.x:
Could this not also be the case?
Thanks
Jirka
Created on 09-27-2022 12:26 PM Edited on 09-27-2022 12:29 PM
Graham,
so the problem is the NPU offload. Once I disable it on the IPsec Phase1 interface:
set npu-offload disable
both the SNMP graph and the GUI widget display the correct data!
Jirka
Oh nice one! I've never heard of that issue before. Going to dig in a bit more on this one because ideally you'd want that traffic offloaded and monitored accurately at the same time. I'll let you know if I find anything else out.
Thank you I will wait.
I believe this might be a bug related to the new NP7 chipset. I suggest calling into TAC to make them aware and so the bug can be validated and fixed.
Thanks I opened a ticket on TAC.
Jirka
I am forwarding TAC's comments on the existing bug and its workaround:
The particular issue is known, to be more precise the bug ID is [0830252 - IPSec VPN statistics not increasing on device].
It will be fixed in:
1) 6.4.11 expected to be released by the end of October
2) 7.0.7 expected to be released by the in the middle of October
3) 7.2.3 expected to be released in the middle of November
As workaround, I would recommend unsetting the "per-session-accounting" and configure the:
config system np6xlite
edit "np6xlite_0"
set ipsec-STS-timeout 1
next
end
Jirka
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.