FortiOS 7.4.2- IPSec tunnel traffic flow stops randonmly

May8 · ‎01-31-2024

Hi,

We have recently upgraded our firewalls to 7.4.2 and have multiple IPSec tunnels active on firewall, but this one tunnel between FortiGate1 and FortiGate2 firewall, after upgrade, traffic stops flowing via tunnel every 24 hours. the only solution to resume traffic flow is to bounce the tunnel.

we have tried disabling npu-offload, tear-down the entire tunnel and rebuild the tunnel, turned off auto-negotiate for phase2, reduced the phase2 and phase1 key lifetime, nothing resolves the issue except bouncing tunnel each time we encounter the issue.

We have IPsec tunnel running from Fortigate1 to Fortigate3 and FortiGate4 having firmware version 7.4.2, have no issue.
Any idea what could be the issue?

Dhruvin_patel · ‎01-31-2024

Hello,

The issue could be related to negotiation. As far as I understand from the description, negotiation is not taking place properly.

It would be helpful to run the like debugs when the issue arises.

diagnose vpn ike log-filter dst-addr4 <tunnel_public_dst_ip>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

I assume the issue could be that one end sends data with an invalid SPI.

Best Regards,

Dhruvin Patel

May8 · ‎02-01-2024

Hi Dhruvin,

Thank you for your response.
the solution to invalid a SPI is to enable DPD either as on idle or on demand.
we already have DPD enabled to 'on demand'.
Do you still think it could be SPI issue?

Also last night for tunnels on other 3 Fortigate firewall, the traffic flow stops.
Note: they are on version 7.4.2

is there any bug for the version 7.4.2?

hbac · ‎02-01-2024

Hi @May8,

Do you mean traffic stopped flowing but the tunnel is still up? In that case, please try to disable hardware acceleration by following this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Disable-Hardware-Acceleration/ta...

After that, you can bounce the tunnel and monitor if it stops again.

Regards,

May8 · ‎02-01-2024

hi hbac,
Yes the tunnel stays up, but traffic stops flowing.
we have already disabled the npu offload on tunnel. we will disable other parameter for hardware acceleration and monitor.
Will keep you posted.

ykenny · ‎02-01-2024

I encountered similar issue. have you ever tried to change the ike port to check if Ok?

config system setting

set ike-port xxxx

end

But it's global parameter, be careful.

May8 · ‎02-01-2024

we have not tried this option.
As it is a global parameter and today we observed the issue only with one tunnel among several other tunnels and would like to understand the impact of this settings on the tunnels.

is there any document that you can share explaining the impact on tunnels due to this setting?

ykenny · ‎02-01-2024

Still trying to look for document about this issue as well.

My situation, i found some times change ike port could work around the issue, but still not sure the root cause, so finally, i chose to downgrade the hub back to 7.4.0, the issue gone. lol, dont know bug or other, will see....

May8 · ‎02-03-2024

Hi All,

Thank you for all the solutions provided to the issue.
we downgraded the firewalls from 7.4.2 to 7.4.1 and issue got resolved.
I suggest to not upgrade your firewalls to 7.4.2, it does not seems to be a stable version.

hbac · ‎02-20-2024

@May8,

Please note that 7.4.1 is vulnerable to SSLVPN attacks https://www.fortiguard.com/psirt/FG-IR-24-015

Make sure SSLVPN is disabled if you want to stay on that version. https://community.fortinet.com/t5/FortiGate/Technical-Tip-nbsp-How-to-disable-SSL-VPN-functionality-...

Regards,

FortiOS 7.4.2- IPSec tunnel traffic flow stops randonmly

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website