I just got this strange issue here:
two FGT 100E with 6.0.8 running. Between both is an ipsec tunnel.
Side A says (in IPSec Monitorr) the tunnel is up
Side B say (-"-) the tunnel is down
Side B still gets new SA Requests for that tunnel from Side A
In Debug Log on Side A you see that Side A is doing the complete handshale and even sends the tunnel up snmp trap to side B.
On Side B you only see new SA Requests from Side A and then negtiation timeouts.
P1 auto negotiation is disabled on Side B but enabled on Side A
I have no clue why this happens...
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Go to Solution.
You have two Fortigates running same hardware and same software release.
I guess you compared the IPSEC tunnel settings in the CLI on the Fortigates, and verified the Tunnel settings are the same on both sides?
Firewalls Policies are also correct, otherwise the tunnel would not initiate at all.
So what else could be the reason it doesn't work?
Either some network device is dropping packets in your network path. Be it the ISP or some other device.
Or you are running into a software bug on the Fortigate.
That's why I suggested setting NAT-T to forced (not just enabled) and disabling np-offload on the phase1.
View solution in original post
I've seen a lot of ISP's doing very weird stuff to IPSEC tunnels.
So in this case I would try to:
- enable force NAT Traversal (UDP 4500 instead of ESP)
Also I ran in multiple NP offload bugs on various FortiOS releases:
- to fix: set np-offload disable on the phase1 tunnel
Did you run any diag commands?
diag vpn ike gateway
diag vpn tunnel list
And lastly if DPD is not being used, enable it in your phase1-interface config thru the cli. I highly doubt the ISP is culprit here.
NAT-T and DPD are already enabled.
I even see Side A sending NAT keepalives to side B and also DPD Packets but on those I see no response from Side B.
I did diag vpn ike gateway clear name <tunnel> on the tunnel and
didag von ike restart
both on both sides with no change.
As I said there is various other IPsecs to other sides that use tha same wan on SIDA as well as there is on Side B and those all work fine. So I wouldn't blame the ISP.
As I said I don't think it is the isp since there are other tunnels on that same isp on both sides and those work. If the ISP would drop packets that would affect all tunnels on that wan.
I will have a look at the other options you mentioned.
ok I set nat-t for force and npf-overload to disable on both sides.
Result is still the same.
I btw also opened a Ticket with TAC.
TAC ticket has escalated one up ;)
sw2090 wrote:TAC ticket has escalated one up ;)We'll see...
Were you able to fix the issue?
His case, has applied, and has worked smoothly
My Blog Workhard https://www.andon.vn
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.