Hi guys,
I have a strange problem with an IPsec between two Fortigates. Maybe someone could help me out :)
I have IPSec is running between two locations A-B. All of the settings like encryption, key life etc are on both sides the same
What happens is that after a while there is no traffic possible from A to B en from B to A
When I look in to the Fortigates the tunnel is on both sides up while no traffic can be send. It's like the tunnel is not up but the Fortigate shows something different.... Anyway to get everything work again the only thing that I have do is to uncheck Auto-negotiate in P2 click OK than check Auto-negotiate again click OK and everything is working fine again for a while..
Someone any idea? It's driving me nuts!
two things comes to mind
1> is DPD being used if not enable it
2> set the phase2 KeepAlives on each phase-2 setting
e.g
config vpn ipsec phase2-interface
edit <ph2-name>
set keepalive enable
next
end
Ken Felix
PCNSE
NSE
StrongSwan
Hi Ken,
Both DPD and keep alive are enabled on both ends.
Did you check from cli? That gui screenshot does not show anything related to the question. Go into the cli and issue
show vpn ipsec phase2-interface | grep -f keepalive
Anything showing up as "disable" toggle it to "enable"
For dpd look at "diag vpn ike gateway" and the dpd counters if any? for the name ike gateway? Also check via cli
show vpn ipsec phase1-interface | grep -f dpd
Ken Felix
PCNSE
NSE
StrongSwan
Hi Ken,
This is the output that I'm getting:
I did it at both ends... Site A
show vpn ipsec phase2-interface | grep -f keepalive Doesn't show me the phase 2 interface... Shows nothing! Keepalive is checked in the gui diag vpn ike gateway show as output: DPD sent/recv: 00028b6d/00000000 show vpn ipsec phase1-interface | grep -f dpd set dpd on-idle <--- set dpd-retrycount 10 <--- set dpd-retryinterval 60 <--- The same at site B show vpn ipsec phase2-interface | grep -f keepalive Doesn't show me the phase 2 interface... Keepalive is chaecked in the gui diag vpn ike gateway show as output: DPD sent/recv: 0000094f/00000000 set dpd -on-idle <--set dpd-retrycount 10 <--- set dpd-retryinterval 60 <--- Two things that are weird .. While keep alive is enabled in de gui under P2 is not showing up with show vpn ipsec phase2-interface | grep -f keepalive Also received DPD packets at both ends are on/0000000. They sending but not receiving
I think it's not available as command because it's enabled by default when auto-negotiate is enabled in P2
When I disable auto-negotiate I can set the keep alive separately... So what is wise ... Disable autonegotiate en set keep alive separately or keep them both enabled?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.