I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.
I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9118289
Good Morning,
any news to this case?
Regards,
Hi Anthony,
I am building a lab for your case. Will share the result soon.
Bill
We have the same problem.
I upgraded all Fortigate (61F) to 7.4.2 firmware, except one. The latter (101F) remained on version 6.4.14.
All are communicating with one starpoint (VM1).
At this time, only 6.4.14 could establish a stable IPSec site-to-site connection with the star point. All the others dropped the connection at various times or failed to establish it.
A downgrade to 7.4.1 solved the problem, but the star point remained 7.4.2, and so now everything works fine.
But because of the SSLVPN vulnerability, it would be urgent to upgrade to 7.4.3, which would probably cause problems again with IPSec site-to-site connections.
What could be the solution?
Hi bogyon
The vulnerability solution is essential; therefore, you should upgrade to the solution suggestion version. If you get an issue, just call Fortinet to get support.
RG/Bill
Hi Bill
I did the upgrade on the starpoint (VM1) to 7.4.3. It worked fine so far with the 7.4.2 firmware. But after the upgrade, no route-based IPSec connections were established. However, the policy-based IPSec connection was successfully established.
The next interesting thing is that the LDAP connection was also broken after the upgrade.
I then gave up and I downgraded to 7.2.7 and all IPSec was successfully established and the LDAP connection was also restored.
After that all devices were upgraded to 7.2.7 firmware and now everything works fine.
Hi Bogyon
Degraded to 7.2.7 is a good option. I think
Bill
Had the same issue - cluster of 200F 7.4.2 A/P to FGT 100F 7.4.1, - IPSec tunnels stop transferring data, tunnel by all indicators stayed up but no data entered the tunnel, flushing IPSec SAs solved issue each time. Usual debug showed no problem. Temporarily "solved" by creating Automation stitch to flush/refresh problematic tunnels daily, until client rolled back to 7.4.1 on FGT200F. Now is the same dilemma - upgrade to 7.4.3 to fix SSL VPN vulnerability and suffer IPSec downs or roll back all the way to 7.0.14.
Same here. Disabling Anti-Replay did not fix the issue. Downgrade to 7.4.1 did. Defo an issue with 7.4.2, most probably not fixed in 7.4.3. Fortinet support seem to count on one of us to test.
Hi @OLiH
What is your HW version? Can you share the ticket number? We can try to find your issue ASAP.
Bill
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.