IPSec tunnels keep dropping - won't come back

scarroll · ‎02-19-2020

Hi all,

We are having a problem with one of our Fortigate 80E firewalls and the IPSec tunnels we have set up to our other locations and for the life of me I can't figure out what is happening. It started when we deployed a new office and rolled out a pair of 80E firewalls. We use IPSec tunnels (not in Interface Mode) to create connections between all of our offices. This has worked for years. However, at this new site we started to notice that some of the tunnels would drop randomly. The issue is that the only way to reconnect them is to delete the tunnel and re-create it. I've tried to re-do the shared key and delete and re-create the phase 2 connector, but only a full recreation of the tunnel will allow it to connect again.

I thought at first it was the firewall, so we replaced them with a brand new pair... but the same thing is happening. It is only happening at this one site and as soon as I recreate it the connection is re-established, so it does not appear to be a connectivity issue with the provider.

I am at a loss... has anyone seen anything similar before?

tioeudes · ‎02-19-2020

Hello,

Maybe the issue is related to the ISP and the DPD packets. Since the issue is related to that one branch and a device replacement didn't helped, i would investigate external problems.

If you can, share the VPN event logs for those tunnels and the output of:

diag debug application ike -1

diag debug enable

regards,

tioeudes

Toshi_Esumi · ‎02-19-2020

At your stage of troubleshooting, I wouldn't rule out anything yet. If it happens quite often, which is easier to troubleshoot, I would run continuous pinging outside of the tunnel at the same time run IKE debugging a little before it's about to drop. IKE debug can run for 30 min. You need to re-set it every 30 min.

IPSec tunnels keep dropping - won't come back

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website