I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.
I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Update 7.6.0 is available, has anyone updated it yet? In the documentation they reported that they resolved the bug.
1003830 | IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform. |
Cluster update to 7.6.0 last week - since then short interruption for all services (HTTP, SMTP, SSH,...) behind simple firewall rules. After reboot of one device - ha out of sync with problems in read only profiles.
Support Ticket note: 7.6 is a point zero release, which we do not recommend for production environments. I suggest considering a rollback to the previously working version.
After downgrade to 7.4.4 everything went back to "normal" - with the known issues :(
From my point of view 7.6.0 is unusable.
Please try the latest 7.2.9GA and 7.4.4GA which should include this fix, bug id #950445, 7.0.16GA will include this bug in the next release, currently, 7.0.15GA still has the problem.
Thanks
Kangming
Hey. Does version 7.4.5(Mature) have the same problem? I'm still sitting on 7.4.1 and I'm wondering whether to upgrade to the newer one.
Best regards.
I haven't been able to move to 7.4.5 because it breaks my Duo RADIUS 2FA.
I got hit with that on 7.2.10, but was able to update the fortiauthenticator to 6.6.2 which supports message authenticator AVP.
Duo just released 6.4.2 yesterday and you can add the message authenticator to Duo now.
Thanks, aguerriero, I just installed 6.4.2 and can confirm that it's working for me. Now we'll get the rest of the firewalls updated.
I have the same problem on 7.4.5, but with only a single phase 2 selector. All other phase 2 selectors are okay. The issue does not occur if I uncheck "Auto-negotiate" on the phase 2 connector.
Same here. The issue is *NOT* fixed. The issue happens infrequently on the phase 2 that has the largest amount of traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.