Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andybarker
New Contributor II

FortiOS 7.4.2 Bug Causes IPsec VPN Tunnel Phase 2 Instability

I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.

 

I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.

78 REPLIES 78
andybarker

9118289

anthonyfoerster
New Contributor II

Good Morning,
any news to this case?

Regards,

A. Foerster
A. Foerster
BillH_FTNT

Hi Anthony,
I am building a lab for your case. Will share the result soon.

Bill

bogyon
New Contributor

We have the same problem.
I upgraded all Fortigate (61F) to 7.4.2 firmware, except one. The latter (101F) remained on version 6.4.14.
All are communicating with one starpoint (VM1).
At this time, only 6.4.14 could establish a stable IPSec site-to-site connection with the star point. All the others dropped the connection at various times or failed to establish it.
A downgrade to 7.4.1 solved the problem, but the star point remained 7.4.2, and so now everything works fine.
But because of the SSLVPN vulnerability, it would be urgent to upgrade to 7.4.3, which would probably cause problems again with IPSec site-to-site connections.
What could be the solution?

 

BillH_FTNT

Hi bogyon

The vulnerability solution is essential; therefore, you should upgrade to the solution suggestion version. If you get an issue, just call Fortinet to get support.

RG/Bill

bogyon

Hi Bill

 

I did the upgrade on the starpoint (VM1) to 7.4.3. It worked fine so far with the 7.4.2 firmware. But after the upgrade, no route-based IPSec connections were established. However, the policy-based IPSec connection was successfully established.
The next interesting thing is that the LDAP connection was also broken after the upgrade.
I then gave up and I downgraded to 7.2.7 and all IPSec was successfully established and the LDAP connection was also restored.

After that all devices were upgraded to 7.2.7 firmware and now everything works fine.

BillH_FTNT

Hi Bogyon

Degraded to 7.2.7 is a good option. I think

Bill

Yurisk
SuperUser
SuperUser

Had the same issue - cluster of 200F 7.4.2 A/P to FGT 100F 7.4.1,  - IPSec tunnels stop transferring data, tunnel by all indicators stayed up but no data entered the tunnel, flushing IPSec SAs solved issue each time. Usual debug showed no problem. Temporarily "solved" by creating Automation stitch to flush/refresh problematic tunnels daily, until client rolled back to 7.4.1 on FGT200F. Now is the same dilemma - upgrade to 7.4.3 to fix SSL VPN vulnerability and suffer IPSec downs or roll back all the way to 7.0.14. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
OLiH
New Contributor II

Same here. Disabling Anti-Replay did not fix the issue. Downgrade to 7.4.1 did. Defo an issue with 7.4.2, most probably not fixed in 7.4.3. Fortinet support seem to count on one of us to test.

BillH_FTNT

Hi @OLiH 

What is your HW version? Can you share the ticket number? We can try to find your issue ASAP. 

Bill

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors