Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RogerDingoDing
New Contributor

Created on ‎12-01-2024 04:30 AM

IPSEC Tunnel intermittent drops to Azure connection

hi

 

we have an IPSEC tunnel configured on our fortigate FW which is linked to Azure.

this tunnel has intermittent connectivity drop outs and its affecting production servers/users and what they are doing.

as far as I can tell the phase 1 and phase 2 settings are correct at both ends. 
this includes the pre shared key, DPD, algorithms, diffie-hellman group, key lifetime for phase 1 and 2 and the PFS.

based on the fact that the VPN is on for most of the time and the drops are intermittent, this would indicate that the settings are correct otherwise the connection would not be established... am i correct in saying this?

 

i have noticed that we DO NOT have auto-negotiate or Autokey Keep Alive enabled on this tunnel. Not sure if this is required? but ive read some posts indicating that this is a useful feature to enable.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...

fortigate details

Fortigate 1800F

v7.2.9 build 1688

 

the time stamps for these drops match up with what we are seeing on the azure side

this is what were seeing on the fortigate, in Azure we can see the VPN connection has gone down. 

fortigate-vpnevents.jpg

 

how do we get more detailed information as to what is triggering the tunnel to go down? or as stated in the logs, the tunnel is renegotiating.. what is causing this?

whats the best way to get more detailed information about this?

 

question about DPD, what should this be configured as? weve been advised by a 3rd party that this should be set to on-idle.... is on demand the better option?

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...

 

 

 

any suggestions/advice will be greatly appreciated!

 

 

cheers

Labels:
500
0 Kudos
7 REPLIES 7
sjoshi
Staff
Staff

Created on ‎12-01-2024 04:34 AM

Hi,

 

Can you please try disabling the NPU and check the status

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPSec-traffic-is-offloaded-for-im...

 

Recommended to do in off hours as disabling NPU will flap the tunnel

Let us know if this helps.
Salon Raj Joshi
494
RogerDingoDing
New Contributor
In response to sjoshi

Created on ‎12-01-2024 04:46 AM

 

hey

 

so ive checked the npu setting as instructed in the article.

when i run 

show vpn ipsec phase1-interface <tunnel name>
the set npu-offload setting is NOT configured

 

when i run the diag vpn tunnel list command

looking at the tunnel in question, i can see the following npu info.


npu_flag=03

 

this would indicate that the traffic is being offloaded correctly?

can you please confirm if we still need to enable the npu-offload setting?

487
0 Kudos
sjoshi
Staff
Staff
In response to RogerDingoDing

Created on ‎12-01-2024 04:49 AM

Hi RogerDingoDing,

 

The NPU command will be available:-

config vpn ipsec phase1-interface

edit <phase1_name>

get

 

this would indicate that the traffic is being offloaded correctly? >> yes

 

can you please confirm if we still need to enable the npu-offload setting? >> I would request you to disable the NPU offload and see the status. Even if the issue is still presents that will isolate NPU causing any issue

 
 
 
Let us know if this helps.
Salon Raj Joshi
481
RogerDingoDing
New Contributor
In response to sjoshi

Created on ‎12-01-2024 04:57 AM

ok thanks for the info, just to be absolutely sure i understand what youre saying.

you want us to disable npu offloading


set npu-offload disable

 

i will need to discuss this with the team before we go and make any changes.

 

 

are you able to advise about the auto-negotiate or Autokey Keep Alive options?

470
0 Kudos
sjoshi
Staff
Staff
In response to RogerDingoDing

Created on ‎12-01-2024 05:00 AM

yes that the correct cmd.

also please do during off hours as disabling it will flap the tunnel. that means the tunnel will go down and up.

 

reg your other query auto-negotiate or Autokey Keep Alive

this will not affect the packet loss for the communication. the work of auto-negotiate or Autokey Keep Alive is to always bring the phase2 up regardless of the traffic flow

more details can be found here

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...

Let us know if this helps.
Salon Raj Joshi
463
0 Kudos
RogerDingoDing
New Contributor
In response to sjoshi

Created on ‎12-01-2024 05:03 AM

ok thanks for confirming.

 

once we disable the npu setting.... are there any specific logs we need to check or commands to run to see whats going on?

 

 

459
0 Kudos
sjoshi
Staff
Staff
In response to RogerDingoDing

Created on ‎12-01-2024 05:31 AM

Hi,

 

diagnose npu np7 dce-drop-all
diagnose npu np7 hif-stats

 

Before and after disabling NPU you can collect this output

Let us know if this helps.
Salon Raj Joshi
401
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.