Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bhaskarrao
New Contributor

Created on ‎05-13-2024 03:55 AM

Getting Packet Drop issue on IPsec VPN Tunnel, after upgrade the FortiOS v7.4.3

Dear All.

 

We've encountered packet drop issues on the IPsec VPN tunnel between our FortiGate and AWS after upgrade FortiOS v7.4.3. Disabling the 'NPU Offload' has alleviated some of the packet loss problems, but we're still experiencing frequent packet loss, averaging around 5-6%.

In order to address this persisting issue, could you please provide some solutions or recommendations for resolving it?

 

With regards,

Bhaskar Rao

Labels:
270
0 Kudos
7 REPLIES 7
hbac
Staff
Staff

Created on ‎05-13-2024 06:50 AM

Hi @bhaskarrao,

 

Did you try disabling 'replay detection'? There is a known issue with bug ID 1003830. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/236526/known-issues

 

Regards, 

238
bhaskarrao
New Contributor
In response to hbac

Created on ‎05-16-2024 02:46 AM

We did disable that option in phase-2, but unfortunately, the issue persists unchanged. We haven't seen any improvement despite our efforts.

 

is there any other workaround to fix this issue.

179
0 Kudos
hbac
Staff
Staff
In response to bhaskarrao

Created on ‎05-16-2024 06:09 AM

@bhaskarrao,

 

Do you have multiple tunnels going to AWS or just one? You can take packet captures on both sides to see where the packets are lost.

 

Regards, 

169
0 Kudos
panixx
New Contributor II
In response to hbac

Created on ‎05-16-2024 07:15 AM

Just adding that this still has not been fixed in 7.4.4.

157
0 Kudos
ezhupa
Staff
Staff

Created on ‎05-16-2024 07:15 AM

Hello,

What model is your FGT device? 
Is the tunnel between physical FGT and FGT located in AWS?
Any logs being generated on the end devices such as ESP packet errors, HMAC validation errors that coincide with the drops you experience? 
If the device is a F series FGT disabling offloading and replay detection should resolve the issue.

158
0 Kudos
bhaskarrao
New Contributor
In response to ezhupa

Created on ‎05-16-2024 08:30 PM Edited on ‎05-16-2024 08:50 PM

Hi, 

The FGT model is 500E and IPsec VPN tunnel between FGT and AWS. 

We tried disabling offloading and replay detection but issue remain same.

 

Please find the log file for your reference.Capture.JPG

 

130
0 Kudos
bhaskarrao
New Contributor
In response to ezhupa

Created on ‎05-16-2024 09:30 PM

Hi, 

The FGT model is 500E and IPsec VPN tunnel between FGT and AWS.  We have tried disabling offloading and replay detection but issue remain same.

Please find the log for your reference.

Capture.JPG

140
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.