Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGuest
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiTester
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiVoice
- FortiWAN
- FortiToken
- FortiWeb
- Wireless Controller
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: IPSEC problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC problem
Hi
i have a problem with vpn between 2 fortigate
site A is a fortigate 100A 4.0 MR3 patch 15
site B is a fortigate 50B 4.0 MR3 patch 15
After 16 hour vpn stop responding, i lose ping until restarting fortigate 50B (site B)
Bring down-bring up vpn from web interface in both site don' t resolve the problem.
After restarting, during day, vpn work well, without any lost packet. The problem occour always during night, when there are not active connection in site B.
Site A is the head office, and are connected other ipsec with the same configurations as site B, that works without problems.
IPSEc is policy based configuration:
In both site A and site B vpn are configured with these paramenters:
PHASE 1
MODE: main
Encryption: AES128/MD5 - AES128/SHA1 - DES/MD5
Dh group: 2
Key life: 28800 seconds
XAUTH: disabled
Dead Peer Detection: Enabled
PHASE 2
Encryption: AES128/MD5 - AES128/SHA1
Enable repaly detection: disabled
Enable perfect forward secrecy: enabled
DH Group: 2
Keylife: 28800 seconds
Autokey Keep Alive: enabled
Quick mode selector:
on site A: soure 0.0.0.0/0 destination: 192.168.3.0/24
on site B: soure 192.168.3.0/24 destination: 0.0.0.0/0
Policy:
site A: source (all vlan in site A) destination (lan site B: 192.168.3.0/24) Action IPSEC
site B: source (lan site B: 192.168.3.0/24) destination (vlan in site A) Action IPSEC
Log on site B whe the problem occurred: I found these line
msg=" delete IPsec phase 2 SA" action=" delete_ipsec_sa"
msg=" delete IPsec phase 1 SA" action=" delete_phase1_sa"
What can I try to resolve the problem?
Thanks
Andrea
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I would do before resetting anything, I would execute the diag sniffer packet command and specify ports 500 or 4500 between the 2 vpn peers. See if IKE or even ESP is being passed
Qs:
Have you ensure that NAT is not an issues and if any NAT-transversal timeout?
execution of diag vpn ike gateway will provide details on if IKE std or NAT-T extension is being used
Next, have you ensure that DPD is actively being used?
Once again execution of the diag vpn ike gateway cmd, will provide details on DPD and counters and you can monitor the interval
I would also issues the diag debug app ike -1 when all stops and to try to identify what side is causing the issues.
You can use my link at the following blog for L2L vpn t-shooting.
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your answer
I try to execute diag vpn ike gateway:
On site B i have
vd: root/0
name: Montecchio
version: 1
interface: wan1 5
addr: 172.16.10.2:500 -> public ip site A:500
created: 24652s ago
IKE SA: created 1/1 established 1/1 time 6340/6340/6340 ms
IPsec SA: created 1/1 established 1/1 time 140/140/140 ms
id/spi: 0 3b4a487011db8c3a/2e520d79e9b7fe32
direction: initiator
status: established 24652-24646s ago = 6340ms
proposal: aes128-md5
key: 8f547fadea7ff48d-191e45bed97c224c
lifetime/rekey: 28800/3853
DPD sent/recv: 00000000/00000000
On site A:
vd: root/0
name: Spagna
version: 1
interface: wan1 2
addr: public IP site A:500 -> public IP site B:500
created: 24712s ago
IKE SA: created 1/2 established 1/1 time 250/250/250 ms
IPsec SA: created 1/2 established 1/1 time 120/120/120 ms
id/spi: 1108 3b4a487011db8c3a/2e520d79e9b7fe32
direction: responder
status: established 24700-24700s ago = 250ms
proposal: aes128-md5
key: 8f547fadea7ff48d-191e45bed97c224c
lifetime/rekey: 28800/3829
DPD sent/recv: 00000000/00000000
Vpn restart this morning.
the DPD is showing 0000000/0000000, for other vpn is enhanced
Can be DPD issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That could be a big issue. I would enable dpd on the policy and use ikev2
e.g
edit Montecchio
set dpd enable
set dpd-retryinterval 20
end
I also rfc1918 address but is this output sanitized? Or are you using NAT anywhere on the peer-vpn src address?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mmmm... I don' t understand very well
In site A fortigate has public ip and connect to site B to public IP
In site B, public ip is on provider' s router.
Fortigate is connected to this router with wan port configured like " internal" for provider' s router.
Wan1 in fortigate is 172.16.10.2 that is internal lan of provider' s router.
To do this in fortigate, I also configured a static route from 0.0.0.0/0 to 172.16.10.1 (provider' s router, that is gateway)
On this router I configure port forwarding rules from any to fortigate, port 500 and 4500 udp.
No NAT configured in policy rules in both sites. In policy rule is configured allow inbound and allow outbound
No NAT Traversal configured
DPD is enabled on both fortigate!!
Maybe provider router issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your being NAT' than you need to enable NAT-T and possible adjust any Nat timeouts. Do you have NAT-T enabled?
set nattraversal enable
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
enabled nat traversal but DPD won' t work.
I recreate phase 1 and phase 2 and policy too.
The strange thing is that with other vpn site, with identical firewall (fortigate 50B) and configurations, i have no problems.
I think that the problem is the provider router. I have to check with another router.
Labels
-
FortiGate
9,196 -
FortiClient
1,871 -
5.2
801 -
FortiManager
788 -
5.4
639 -
FortiAnalyzer
593 -
FortiSwitch
504 -
FortiAP
491 -
FortiClient EMS
462 -
6.0
416 -
5.6
362 -
FortiMail
335 -
SSL-VPN
281 -
IPsec
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
FortiWeb
219 -
FortiNAC
215 -
5.0
196 -
FortiGuard
146 -
SD-WAN
133 -
6.4
128 -
FortiAuthenticator
126 -
FortiGateCloud
103 -
FortiCloud Products
102 -
FortiSIEM
100 -
Firewall policy
97 -
FortiToken
96 -
Wireless Controller
84 -
Customer Service
81 -
FortiProxy
71 -
High Availability
67 -
4.0MR3
64 -
Fortivoice
60 -
FortiEDR
60 -
FortiADC
56 -
vlan
54 -
ZTNA
54 -
Routing
53 -
DNS
51 -
LDAP
47 -
FortiSandbox
46 -
FortiExtender
46 -
BGP
46 -
RADIUS
45 -
SAML
45 -
Authentication
44 -
NAT
43 -
FortiDNS
42 -
SSO
42 -
Certificate
42 -
FortiGate-VM
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
VDOM
34 -
fortilink
33 -
FortiConnect
32 -
Interface
32 -
Application control
32 -
Virtual IP
28 -
FortiWAN
27 -
Logging
27 -
Web profile
27 -
FortiConverter
26 -
FortiGate v5.2
24 -
FortiPAM
24 -
SSL SSH inspection
23 -
FortiPortal
22 -
Fortigate Cloud
21 -
Traffic shaping
20 -
FortiSwitch v6.2
19 -
Automation
19 -
Static route
19 -
FortiMonitor
18 -
SSID
18 -
snmp
17 -
OSPF
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
Admin
14 -
Security profile
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiManager v5.0
12 -
Proxy policy
12 -
FortiRecorder
11 -
IPS signature
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
Explicit proxy
10 -
Traffic shaping policy
10 -
FortiAP profile
10 -
Intrusion prevention
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Port policy
9 -
FortiDeceptor
8 -
FortiCache
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Antivirus profile
8 -
Traffic shaping profile
8 -
Web rating
8 -
Fortinet Engage Partner Program
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
API
7 -
trunk
7 -
Users
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Packet capture
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
Application signature
5 -
Authentication rule and scheme
5 -
Email filter profile
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
NAC policy
4 -
DLP sensor
4 -
Netflow
4 -
Protocol option
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Multicast routing
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Zone
2 -
Vulnerability Management
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
File filter
1 -
ICAP profile
1 -
Virtual wire pair
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1922 | |
| 1144 | |
| 769 | |
| 447 | |
| 277 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.