FortiOS 7.4.2 Bug Causes IPsec VPN Tunnel Phase 2 Instability

andybarker · ‎01-22-2024

I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.

I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.

andybarker · ‎01-24-2024

9118289

anthonyfoerster · ‎01-28-2024

Good Morning,
any news to this case?

Regards,

A. Foerster

BillH_FTNT · ‎01-29-2024

Hi Anthony,
I am building a lab for your case. Will share the result soon.

Bill

bogyon · ‎02-10-2024

We have the same problem.
I upgraded all Fortigate (61F) to 7.4.2 firmware, except one. The latter (101F) remained on version 6.4.14.
All are communicating with one starpoint (VM1).
At this time, only 6.4.14 could establish a stable IPSec site-to-site connection with the star point. All the others dropped the connection at various times or failed to establish it.
A downgrade to 7.4.1 solved the problem, but the star point remained 7.4.2, and so now everything works fine.
But because of the SSLVPN vulnerability, it would be urgent to upgrade to 7.4.3, which would probably cause problems again with IPSec site-to-site connections.
What could be the solution?

BillH_FTNT · ‎02-10-2024

Hi bogyon

The vulnerability solution is essential; therefore, you should upgrade to the solution suggestion version. If you get an issue, just call Fortinet to get support.

RG/Bill

bogyon · ‎02-15-2024

Hi Bill

I did the upgrade on the starpoint (VM1) to 7.4.3. It worked fine so far with the 7.4.2 firmware. But after the upgrade, no route-based IPSec connections were established. However, the policy-based IPSec connection was successfully established.
The next interesting thing is that the LDAP connection was also broken after the upgrade.
I then gave up and I downgraded to 7.2.7 and all IPSec was successfully established and the LDAP connection was also restored.

After that all devices were upgraded to 7.2.7 firmware and now everything works fine.

BillH_FTNT · ‎02-15-2024

Hi Bogyon

Degraded to 7.2.7 is a good option. I think

Bill

Yurisk · ‎02-11-2024

Had the same issue - cluster of 200F 7.4.2 A/P to FGT 100F 7.4.1, - IPSec tunnels stop transferring data, tunnel by all indicators stayed up but no data entered the tunnel, flushing IPSec SAs solved issue each time. Usual debug showed no problem. Temporarily "solved" by creating Automation stitch to flush/refresh problematic tunnels daily, until client rolled back to 7.4.1 on FGT200F. Now is the same dilemma - upgrade to 7.4.3 to fix SSL VPN vulnerability and suffer IPSec downs or roll back all the way to 7.0.14.

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

OLiH · ‎02-13-2024

Same here. Disabling Anti-Replay did not fix the issue. Downgrade to 7.4.1 did. Defo an issue with 7.4.2, most probably not fixed in 7.4.3. Fortinet support seem to count on one of us to test.

BillH_FTNT · ‎02-14-2024

Hi @OLiH

What is your HW version? Can you share the ticket number? We can try to find your issue ASAP.

Bill