Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- How to force SDWAN IPSec VPN Down when quota reach...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to force SDWAN IPSec VPN Down when quota reachs its end - Starlink maritme 5TB quota
How to force SDWAN IPSec VPN Down when quota reachs its end - Starlink maritme 5TB quota
The scenario: small office with Starlink+CG-NAT+DHCP, FG100, FortiOS 7.4 and remote office/DTC, regular ISP with static IP
I have two Starlink antenas, with a 5TB/Month quota, something around 168GB/day.
Besides that, the Starlink connectins are CG-NAT ones, with DHCP, so, not only the IP sometimes changes, but also, the NAT is under another NAT, so we need to use NAT-T on "forced" and also, use passive mode on remote datacenter, as I am using DDNS because the Starlink side needs it. (note: dial-up is not supported under SDWAN)
Because of the number of users and devices, besides controlling very strictly the traffic, we still need to "cap" the in/out max bandwidht to around 20Mbps to make sure that the Quota is not reached before the months ends
We did several tests, when something happens with the link, antenna turned off, cabling problem, DHCP error, remote SIP lack of communication error, it triggers the ISPEC to be down, and the SDWAN makes its job and everything works well.
As we have two antennas, we ´ve created a SDWAN with two IPSec VPN tunnels, one for each antenna. The remote/DTCe side is also a Fortigate, but not Starlink, instead regular ISPs, to serve as vpn endpoints with static IP
But stil, sometimes, the quota ends before the end of the month, and it´s when things get weird! As the quota ends, things like electrical crrent, link up, antenna up, no communication error happening, the tunnel still is up and running, so the ipsec tunnel neve got down and therefore, the SDWAN it doesn´t failover and everything stops. So, even with no quota available, still, the VPN is considered (on both sides) up and running, so, te SDWAN it doesn´t allow any communication to flow properly. Special Note: performace SLA is configured, with a loopback interface on each side, to test both tunnels and making sure that SDWAN culd detect the failure of the VPN channel, but, again even after end of quota, the tunnel is still up.
DTC/Main Static IP side: set passive-mode enable, phase1 keylife 28800, phase2 keylife 3600, set nattraversal forced
Small office/Starlink site: set passive-mode disable, phase1 keylife 28800, phase2 keylife 3600, set nattraversal forced
Besides that, some parametrs are as follows, i Phase1 on both sides:
monitor :
monitor-min : 0
auto-negotiate : enable
idle-timeout : disable
But for several months we´ve noticed that when the Quota ends, THE TUNNEL is still fully "functional", tehrefore, the SDWAN it does not failover properly
So, I started to think to use some special/custom parameters to tailor the system to my needs
So I got tha idea to change the keepalive to DISABLE
and maybe also the auto-negotiate also to DISABLE
keepalive : disable
auto-negotiate : disable
This could help to solve my issue?
Any other idea?
---
---
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you reviewed shape policies that will drop the traffic over the limit?
Shared traffic shaper | FortiGate / FortiOS 7.6.3 | Fortinet Document Library
Traffic shaping | FortiGate / FortiOS 7.6.3 | Fortinet Document Library
Other than that if this is a forti security fabric you could try triggering automation or if not send the forti logs to external server that can use the fortigate API to then trigger a script to stop the interface. My examples that you can modify:
Solved: Re: Restart Fortigate http/gui processes automatic... - Fortinet Community
Fortigate CPU/memory leak automation technical tip - Fortinet Community
Old post but the traffic logs can be used:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use shaper to drop the traffic over the limite is not an option, for several reasons: the 5TB limit is overall, for ANY traffic produced/generated, the 5 TB limit is up+down, the traffic that goes though ipsec has overhead not related to what is being transported through the vpn, there is an IPSLA traffic using the quota as well, and finally, there are different interfaces using the quota besides the IPsec vpn, like regular internet access trhough another SDWAN, as I have 2 antennas, I use for internet access AND corporate access on both SDWANs
And sending logs to an external system is not an option
I was hoping that the dpd/auto-negotiate/keep-alive might be more useful in this particular case, as the defaults are tied to standard environments, which is not the case here
---
---
Created on ‎07-28-2025 12:31 AM Edited on ‎07-28-2025 12:32 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That are the options I am aware of and usually even small companies have if not SIEM a systlog server as for specific use cases like yours API Automations (Python, Terraform, Forti stiches and triggers) is usually the go to.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, sure, maybe it could be done, but now we´re talking about a solution which requires skills that we don´t have and of course, included that there is no budget to hire someone to do
I´m puzzled by why the "auto-negotiate" and "keep alive" disabled are not being able to for the tunnel to get down, whe the quota reachs its limit and if not really, if there are other parameters that could be configured to do so
---
---
Labels
-
FortiGate
10,503 -
FortiClient
2,131 -
FortiManager
884 -
5.2
687 -
FortiAnalyzer
673 -
5.4
638 -
FortiSwitch
576 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
408 -
SSL-VPN
372 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
65 -
Certificate
62 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
Fortigate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2546 | |
| 1354 | |
| 795 | |
| 643 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.