Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andybarker
New Contributor II

FortiOS 7.4.2 Bug Causes IPsec VPN Tunnel Phase 2 Instability

I have had many site-to-site IPsec tunnels working fine for several years until I upgraded to FortiOS 7.4.2. Shortly afterward, my tunnels began dropping connections on random Phase 2 connections. I have had to bring down the phases or entire tunnel to get traffic flowing again many times. I opened a ticket with Fortinet and had three technicians working with me at various times but none found a solution.

 

I finally downgraded to 7.4.1 and all my problems went away. There is obviously a bug in 7.4.2 and I hope Fortinet finds and acknowledges it and fixes it for the next release.

78 REPLIES 78
Sandoval
New Contributor II

Update 7.6.0 is available, has anyone updated it yet? In the documentation they reported that they resolved the bug.

 

1003830

IPsec VPN tunnel phase 2 instability after upgrading to 7.4.2 on the NP6xlite platform.

Hendrik
New Contributor

Cluster update to 7.6.0 last week - since then short interruption for all services (HTTP, SMTP, SSH,...) behind simple firewall rules. After reboot of one device - ha out of sync with problems in read only profiles.

 

Support Ticket note: 7.6 is a point zero release, which we do not recommend for production environments. I suggest considering a rollback to the previously working version.

 

After downgrade to 7.4.4 everything went back to "normal" - with the known issues :(

 

From my point of view 7.6.0 is unusable.

Kangming
Staff
Staff

Please try the latest 7.2.9GA and 7.4.4GA which should include this fix, bug id #950445, 7.0.16GA will include this bug in the next release, currently, 7.0.15GA still has the problem.

Thanks

Kangming

montie_pl
New Contributor

Hey. Does version 7.4.5(Mature) have the same problem? I'm still sitting on 7.4.1 and I'm wondering whether to upgrade to the newer one.

 

Best regards.

pfit
New Contributor II

I haven't been able to move to 7.4.5 because it breaks my Duo RADIUS 2FA.

aguerriero

I got hit with that on 7.2.10, but was able to update the fortiauthenticator to 6.6.2 which supports message authenticator AVP.

Duo just released 6.4.2 yesterday and you can add the message authenticator to Duo now.

pfit
New Contributor II

Thanks, aguerriero, I just installed 6.4.2 and can confirm that it's working for me. Now we'll get the rest of the firewalls updated.

Forti-Wizard
New Contributor

I have the same problem on 7.4.5, but with only a single phase 2 selector. All other phase 2 selectors are okay. The issue does not occur if I uncheck "Auto-negotiate" on the phase 2 connector.

OLiH
New Contributor II

Same here. The issue is *NOT* fixed. The issue happens infrequently on the phase 2 that has the largest amount of traffic.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors