Hi All
I think I found a possible bug on FortiGate V7.0.13 (100F in HA).
After upgrading our 60F 7.0.12 to 7.0.13 the IPSec tunnel in Dialup mode to the main site running 100F HA Version 7.0.12 went down.
Thinking that there is some sort of mismatch I upgraded the 100Fs to version 7.0.13.
This did not fix the issue. I started troubleshooting looking at the secrets and DPD and IKE.
From the logs, the tunnel passes phase 1 and connects on phase 2 and stays up for a few seconds but before any traffic gets passed it simply drops the connection (nothing in logs other than the connection got removed) and starts the process all over.
It then gets stuck in this loop.
I then tried with a different site still on 60F 7.0.12 and it's doing the same thing.
The IPSec site to site on static IPs works fine.
Recreated the IPSec site to site dialup connections and experienced the same issue.
Downgraded the 60F from 7.0.13 back to 7.0.12 and still had the same issue.
Downgraded the 100F HA from version 7.0.13 to 7.0.12 and all the IPSec Dial up tunnels came online and stayed online.
I then upgraded a 60F from 7.0.12 to 7.0.13 and no issue so it seems that this is specific to the 100F being on 7.0.13.
Note that the 100F is the one that accepts the dialup from the 60F clients with non-static IPs.
I also tried different modes and DH groups all those settings, but nothing worked until the 100F was back on version 7.0.12
I have searched the forums but could find anything like it.
Anyone seen this with 7.0.13 or before?
Kind regards
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Elmo,
What is the FortiClient version are you using? Do FortiGate 100F and 60F have the same IPsec configurations? We need ike debugs and FortiClient logs to see why it is not working:
For IKE debug: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...
FortiClient debug logs: https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-enable-debug-log-in-FortiClient/t...
Regards,
Hello Elmo,
I came across this issue in several tickets after upgrading to 7.0.13 and 7.2.6. All cases include FGTs that have 2 or more dialup vpn configurations with overlapping phase2 subnets and add-route enabled.
I wrote the below KB a couple of days ago for these cases:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dialup-IPSEC-issues-after-upgrading-7-2-6-...
Hope this helps.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.