Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPSEC Tunnel dropping its route
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC Tunnel dropping its route
Hello All,
Sorry for the long explanation - trying to answer foreseeable questions in advance!
We have a pair of FG-100Ds in a HA Active-Passive configuration, running v5.2.3. (Would like to upgrade to v5.2.5, but no one wants to approve the change!)
Connected to this are 22 small sites (couple of devices each) connected via IPSec tunnels, each with Cisco 887 (ADSL plus 3G Failover) and 4 x Phase 2 selectors.
The Fortigate has a private IP address on the WAN1 port, so all tunnels are enabled for NAT-T on both sides.
Head office has a range of 172 and 10 subnets, and each site has both a 10.x.x.0/28 and 172.x.x.0/28 subnet.
These tunnels were all configured by a third party in August 2015, and have been quite robust.
Needed to alter the Interesting Traffic selectors, after testing one site successfully, rolled out the change to each of the Cisco routers and on its Fortigate tunnel.
Then I started to notice semi-frequent dropouts in links from HQ to individual sites. Most sites drop 1 or 2 times a day, some up to 5 times a day, and some have never dropped, despite the fact configs have been checked 50 times and are identical.
When I check the Fortigate, I find the tunnels are reporting as up, but the route specific to that P2 has vanished.
VPN, Monitor, IPsec Monitor, Select the appropriate Phase 2, right click, Bring Down will resolve the issue within a second or two.
My thinking has been P1 / P2 timeouts.
P1 was correct - both sides 86,400 seconds - 1 day.
Then I discovered P2 was default on the Cisco (3,600 seconds, 4,608,000 Kbytes) and set to 43,200 on the Fortigate. Bingo!
Reconfigured all the P2s (all 88 of them) on the Fortigate to Key Lifetime "Both" Seconds 3,600 and Kilobytes 4,608,000 to match the defaults on the Cisco.
Reliability appears better, but still experiencing dropouts.
Some of the Cisco's have been rebooted, but the Fortigate has not.
DPD enabled both sides. NAT-T configured both sides. I believe MTU configuration on the Cisco is good.
Spent most of the last two weeks on this! We have site monitoring which pings every site every 30 minutes. Before the change this was stable. Now getting 30 or 40 alerts a day. Manually bringing down the tunnel whenever a site is unreachable resolves it, but sites are offline for ~15-20 minutes before I give it a kick, which is unacceptable.
If I don't intervene, it does come back by itself within an hour, again seeming to indicate timeout related.
The biggest thing I don't understand in all of this is how the tunnels were stable previously with the Phase 2 lifetimes being incorrect. I suppose since they were lower on the Cisco, it just re-established the P2, and the Fortigate said "Oh, OK!".
The fortigate hasn't been restarted in over 200 days, probably not since these tunnels were commissioned.
Screen grab of snippets of the interfaces view and routes view are attached.
Would like to create an explicit static route for each of the sites on the Fortigate pointing to their tunnel. But new route doesn't list the tunnels as a selectable interface. Setting in the CLI also fails. The routes from that screen shot are generated automatically and vanish when the issue occurs.
I feel like I need a way to completely reset each tunnel on the Fortigate (rebooting it has been tempting!) - perhaps just dropping the tunnel isn't resetting the lifetime back to 0 for all phases on both the Fortigate and Cisco?
Need help with advanced troubeshooting / monitoring CLI commands for the Fortigate. Have done most of my debug on the Cisco's thus far, and haven't found anything.
Help!
TIA
Tony
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a snippet of the Fortigate config pertaining to one of our sites, Parry.
Hopefully I have included everything pertinent!
The definition of RR_VPN_allowed is messy with overlapping subnets, but that is how I inherited it. I don't think that would be an issue for a firewall traffic definition..... ?
config system interface
edit "wan1"
set vdom "root"
set ip 172.25.26.1 255.255.255.0
set allowaccess ping auto-ipsec
set type physical
set alias "Internet VLAN1004"
set snmp-index 1
next
edit "ParryVPN"
set vdom "root"
set type tunnel
set snmp-index 27
set interface "wan1"
next
config firewall address
edit "RRLan1"
set uuid 35b53b82-2532-51e5-1e68-4e12f9c7ad29
set subnet 10.0.0.0 255.0.0.0
next
edit "RRLan2"
set uuid 434365d0-2532-51e5-8c01-3d3f45b0514a
set subnet 172.25.31.0 255.255.255.0
next
edit "RRLan3"
set uuid 60de0802-4abc-51e5-8b39-e8af024ce3c2
set subnet 172.26.32.0 255.255.252.0
next
edit "RRLan4"
set uuid 700447a6-4abc-51e5-3ce6-f98e8336aa4a
set subnet 172.27.26.0 255.255.254.0
next
edit "RRLan5"
set uuid 5368b170-5040-51e5-6f65-d5615fdde652
set comment "RR Lan 5"
set subnet 172.16.0.0 255.240.0.0
next
edit "RRLan6"
set uuid afe75a02-5043-51e5-736d-5aba728b7f94
set subnet 172.26.31.0 255.255.255.0
next
edit "RRLan7"
set uuid c2226042-b7f2-51e5-8f64-c6785f7eb758
set subnet 172.25.29.0 255.255.255.0
next
edit "Parry_Data"
set uuid 3e277088-3cbf-51e5-6611-3c888255465e
set visibility disable
set subnet 10.26.32.32 255.255.255.240
next
edit "Parry_Voice"
set uuid 4dc467e4-3cbf-51e5-9a94-565640679102
set visibility disable
set subnet 172.26.32.32 255.255.255.240
next
config firewall addrgrp
edit "Parry"
set uuid 7c44929c-3cbf-51e5-a1fc-369091c65fe9
set member "Parry_Data" "Parry_Voice"
set comment "Parry_House"
next
config firewall addrgrp
edit "RR_VPN_allowed"
set uuid 552711a2-2532-51e5-0777-aadca12dc890
set member "RRLan1" "RRLan2" "RRLan3" "RRLan4" "RRLan5" "RRLan6" "RRLan7"
next
config vpn ipsec phase1-interface
edit "ParryVPN"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set proposal 3des-md5 3des-sha1 3des-sha256
set dhgrp 2
set peerid "parry.royalrehab.local"
set psksecret ENC REDACTED
next
config vpn ipsec phase2-interface
edit "ParryVPN_1"
set phase1name "ParryVPN"
set proposal 3des-md5 3des-sha256
set dhgrp 2
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 4608000
set src-subnet 10.0.0.0 255.0.0.0
set dst-subnet 10.26.32.32 255.255.255.240
next
edit "ParryVPN_2"
set phase1name "ParryVPN"
set proposal 3des-md5 3des-sha256
set dhgrp 2
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 4608000
set src-subnet 10.0.0.0 255.0.0.0
set dst-subnet 172.26.32.32 255.255.255.240
next
edit "ParryVPN_3"
set phase1name "ParryVPN"
set proposal 3des-md5 3des-sha256
set dhgrp 2
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 4608000
set src-subnet 172.16.0.0 255.240.0.0
set dst-subnet 10.26.32.32 255.255.255.240
next
edit "ParryVPN_4"
set phase1name "ParryVPN"
set proposal 3des-md5 3des-sha256
set dhgrp 2
set keepalive enable
set keylife-type both
set keylifeseconds 3600
set keylifekbs 4608000
set src-subnet 172.16.0.0 255.240.0.0
set dst-subnet 172.26.32.32 255.255.255.240
next
config firewall policy
edit 5
set uuid 9d48ddea-3cbf-51e5-5244-8af2cafae703
set srcintf "ParryVPN" "port1"
set dstintf "ParryVPN" "port1"
set srcaddr "Parry" "RR_VPN_allowed"
set dstaddr "Parry" "RR_VPN_allowed"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And here is the Cisco config, again for one of our sites, Parry.
Thanks everyone!
!
hostname parry
!
ip dhcp pool pool 2202
import all
network 10.26.32.32 255.255.255.240
default-router 10.26.32.33
!
ip dhcp pool pool 2502
import all
network 172.26.32.32 255.255.255.240
default-router 172.26.32.33
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
cts logging verbose
license udi pid C887VAG-4G-GA-K9 sn REDACTED
!
vtp mode transparent
username admin privilege 15 secret 5 REDACTED
!
controller VDSL 0
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
vlan 2202,2502
!
track 1 ip sla 1 reachability
!
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
crypto isakmp identity hostname
crypto isakmp keepalive 10
!
crypto isakmp peer address PUBLIC-IP-FORTIGATE
set aggressive-mode password REDACTED
set aggressive-mode client-endpoint user-fqdn parry.DOMAIN
!
crypto ipsec transform-set FG esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile FGipsec
set transform-set FG
set pfs group2
!
crypto map CMAP 10 ipsec-isakmp
set peer PUBLIC-IP-FORTIGATE
set transform-set FG
set pfs group2
match address 115
!
interface Loopback30
description Monitoring address
ip address 10.224.62.159 255.255.255.255
!
interface ATM0
description Phy_ADSL
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
mtu 1452
pvc 8/35
pppoe-client dial-pool-number 1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
ip virtual-reassembly out
encapsulation slip
dialer in-band
dialer string optus
dialer string hspa
dialer-group 1
async mode interactive
crypto map CMAP
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
description Data
switchport access vlan 2202
no ip address
!
interface FastEthernet2
description Voice
switchport access vlan 2502
no ip address
!
interface FastEthernet3
description Data
switchport access vlan 2202
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2202
description Data
ip address 10.26.32.33 255.255.255.240
ip access-group DATA_VLAN_INBOUND in
ip access-group DATA_VLAN_OUTBOUND out
ip nat inside
ip virtual-reassembly in
!
interface Vlan2502
description Voice
ip address 172.26.32.33 255.255.255.240
ip access-group VOICE_VLAN_INBOUND in
ip access-group VOICE_VLAN_OUTBOUND out
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
description Dialer interface for ADSL2
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in max-reassemblies 64
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp chap hostname REDACTED
ppp chap password 0 REDACTED
ppp pap sent-username REDACTED
ppp ipcp route default
no cdp enable
crypto map CMAP
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT interface Cellular0 overload
ip nat inside source route-map NAT1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0 254
ip route 8.8.4.4 255.255.255.255 Dialer1
!
ip access-list extended DATA_VLAN_INBOUND
permit ip 10.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
permit ip 10.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
permit ip host 10.26.32.34 any
permit ip host 10.26.32.35 any
permit udp any eq bootpc any eq bootps
ip access-list extended DATA_VLAN_OUTBOUND
permit ip 10.0.0.0 0.255.255.255 10.26.32.32 0.0.0.15
permit ip 172.16.0.0 0.15.255.255 10.26.32.32 0.0.0.15
permit ip any host 10.26.32.34
permit ip any host 10.26.32.35
ip access-list extended VOICE_VLAN_INBOUND
permit ip 172.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
permit ip 172.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
permit udp any eq bootpc any eq bootps
permit ip host 172.26.32.34 any
ip access-list extended VOICE_VLAN_OUTBOUND
permit ip 10.0.0.0 0.255.255.255 172.26.32.32 0.0.0.15
permit ip 172.16.0.0 0.15.255.255 172.26.32.32 0.0.0.15
permit ip any host 172.26.32.34
!
ip sla auto discovery
ip sla 1
icmp-echo 8.8.4.4 source-interface Dialer1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
!
route-map NAT permit 10
match ip address 111
match interface Cellular0
!
route-map NAT1 permit 10
match ip address 110
match interface Dialer1
!
snmp-server community RRHouseRO RO
snmp-server community RRHouseRW RW
snmp-server community MACQread RO
access-list 110 deny ip 10.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
access-list 110 deny ip 172.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 110 deny ip 172.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
access-list 110 permit ip 10.26.32.32 0.0.0.15 any
access-list 110 permit ip 172.26.32.32 0.0.0.15 any
access-list 111 deny ip 10.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 111 deny ip 10.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
access-list 111 deny ip 172.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 111 deny ip 172.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
access-list 111 permit ip 10.26.32.32 0.0.0.15 any
access-list 111 permit ip 172.26.32.32 0.0.0.15 any
access-list 115 permit ip 10.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 115 permit ip 10.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
access-list 115 permit ip 172.26.32.32 0.0.0.15 10.0.0.0 0.255.255.255
access-list 115 permit ip 172.26.32.32 0.0.0.15 172.16.0.0 0.15.255.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The dropouts were triggered due to the multiple ACLs on the Cisco routers.
Fortigate was dropping the route as part of the tear down of a certain P2 that was requested by Cisco GW/client. But the deleted route was required by a another Phase2/tunnel between the two gateways.
Please use ACLs in the following format at the client end, eg:
1. 10.26.32.32 0.0.0.15 0.0.0.0 0.0.0.0 2. 172.26.32.32 0.0.0.15 0.0.0.0 0.0.0.0
The remote IPSec dial-up client should not have more than one Phase2/ACL for it's local subnet when connecting to the FGT(Dial-up Server), in this example.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,752 -
FortiClient
1,778 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiGate-VM
19 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1738 | |
| 1108 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.