IPSEC VPN tunnel down frequently unable to bring up. Have to restart fortigate
Recently replaced our juniper firewall with fortigate 30E on one of my site. I am encountering a peculiar problem with the Fortigate 30E firewall IPSEC VPN tunnel. The WAN internet link is connect via PPPoE.
There is a IPSEC VPN tunnel between the 30E to a 200D. Every 2 - 5 days the tunnel will go down by itself and unable to bring up automatically or manual method via the GUI or CLI. The internet is working fine and still accessible during the IPSEC VPN tunnel failure. I have to reboot the 30E fortigate and immediately the IPSEC tunnel will recover and bring up by itself.
200D is connected to multiple IPSEC VPN to various site, all IPSEC VPN tunnel is working without issue except the IPSEC VPN to 30E.
Prior to the replacement of the fortigate 30E . We are already using the IPSEC VPN created using the juniper firewall to the 200D and the connection is stable.
To isolate firmware compatibility issue . I have also create two additional IPSEC VPN Tunnel .
A. 30E to 60D (Same firmware 5.4.1)
B. 30E to 90E
Therefore in total there are 3 IPSEC VPN tunnel . A:30E to 60D B:30E to 90E and C:30E to 200D
Strangely ,when the IPSEC vpn tunnels goes down,sometimes one or two are unable to bring up by themselves, whereas the remaining tunnel will be able to bring up themselves.
Case 1 Example .
A.30E to 60D - (Down, unable to bring up) , B.30E to 90E (UP by itself) , C:30E to 200D (Down, unable to bring up).
Have to reboot the fortigate 30E and immediately all the IPSEC Tunnels (down) will goes up.
Case 2 example.
3 IPSEC VPN goes down unable to bring it up. Reboot is require on 30E to get the IPSEC VPN tunnel to bring up.
This issue has been reported to TA and still pending for 1 month.
Have anyone encountered the same issues before? Will appreciate if anyone can shed some light on this.
Not an intelligent answer but in the past we have FWF60D at one of our own offices with pppoe over a fiber. It's running a main mode IPSec to our 1500D for our MPLS connection. We started with 5.2.3 I think and kept upgrading over a couple of years because it dropped the internet time to time. Almost every time we upgrade it the occurrence became less than previous version. Then after we upgraded it to 5.4.4 earlier this year we stopped getting complaints from the location. Generally I don't recommend 5.4.1. When you consider upgrading it please check the release notes of the target version and check backward toward 5.4.1 to verify the upgrade path and any special instruction. I'm not sure about 30E but I remember 5.4.1 required a flush when upgrading it to a higher version.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.