FortiOS 7.4.2- IPSec tunnel traffic flow stops randonmly

May8 · ‎01-31-2024

Hi,

We have recently upgraded our firewalls to 7.4.2 and have multiple IPSec tunnels active on firewall, but this one tunnel between FortiGate1 and FortiGate2 firewall, after upgrade, traffic stops flowing via tunnel every 24 hours. the only solution to resume traffic flow is to bounce the tunnel.

we have tried disabling npu-offload, tear-down the entire tunnel and rebuild the tunnel, turned off auto-negotiate for phase2, reduced the phase2 and phase1 key lifetime, nothing resolves the issue except bouncing tunnel each time we encounter the issue.

We have IPsec tunnel running from Fortigate1 to Fortigate3 and FortiGate4 having firmware version 7.4.2, have no issue.
Any idea what could be the issue?

pmudgal · ‎02-04-2024

Hello Sir,

Thank you for contacting the Fortinet support.

First disable the hardware acceleration using the below document and then take the IKE debugs as below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Disable-Hardware-Acceleration/ta...

dia debug reset
dia debug disable

diagnose vpn ike log-filter dst-addr4 <tunnel_public_dst_ip>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
!

Best Regards,
Piyush Mudgal

wendelin · ‎02-19-2024

See also https://community.fortinet.com/t5/Support-Forum/FortiOS-7-4-2-Bug-Causes-IPsec-VPN-Tunnel-Phase-2-In...

FortiOS 7.4.2- IPSec tunnel traffic flow stops randonmly

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website