Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Joseph-M
New Contributor III

Created on ‎06-25-2023 11:37 PM

IPsec Tunnels not working after firmware upgrade

After upgrading our FortiGate to v7.4.0 from 6.4.7 (with optional upgrade path 6.4.9 then 6.4.11 ...)

 

All our IPSEC tunnels are down and phase1 and phase2 are down. At the same time all other config seems to be in place...

 

We found out that as soon as we choose local gateway "Specify" (our secondary WAN IP) not "Primary IP" the tunnel is down and no communication is happening between our and client FW (all WAN IPs are from one ISPs GW). We can ping clients IP.

 

Proposals and configuration of P1 and P2 are correct, as I mentioned as soon both sides chooses gateway (our primary IP) tunnel works. Policies are in place, traffic is accesable from both sides when tunnel is up. Routes created.

 

As I understand there is some misconfiguration or missing setting within FortiGate after upgrade. IPsec tunnel does not work if I choose other WAN as gateway address which means the NAT configuration or something. But at the same time all other resources that are being hosted behind our FW and routed with policies are working. 

 

What could be the possible issues where to look. I tried to find similar issues on forums but no success. Would appreciate any ideas and help.

Labels:
3024
0 Kudos
1 Solution
Joseph-M
New Contributor III

Created on ‎06-26-2023 03:22 AM

Ticket were created for FortiSupport.

View solution in original post

2957
0 Kudos
6 REPLIES 6
knagaraju
Staff
Staff

Created on ‎06-26-2023 02:12 AM

Hello Joseph,
May I know if you have followed the upgrade path while upgrading the firmware?
May I know if it is IPsec site-to-site VPN or IPsec dial-up vpn?
May I know the FortiGate hardware model?

Regards
Nagaraju

2999
0 Kudos
Joseph-M
New Contributor III
In response to knagaraju

Created on ‎06-26-2023 02:16 AM

Hello knagaraju

 

We are using FortiGate 60F
As I mentioned in original post. Yes, I did follow the optimal upgrade path for firmware. 

6.4.7 - 6.4.9 - 6.4.11 - 6.13 ........

 

IPsec site-to-site

2995
0 Kudos
knagaraju
Staff
Staff

Created on ‎06-26-2023 02:25 AM

Hello Joseph.
Thank you for your response.
Please capture the below debugs logs 

# diagnose vpn ike log-filter dst-addr4 x.x.x.x 
# diagnose debug application ike -1
# diagnose debug enable

Where x.x.x.x is the peer-end public IP.

After the above commands in fortigate cli please try to bring up the tunnel from ipsec monitor.

Regards
Nagaraju.

2989
0 Kudos
Joseph-M
New Contributor III
In response to knagaraju

Created on ‎06-26-2023 02:27 AM

Just to be clear.

Our goal was to respond CVE-2023-27997
There for we upgraded our firmware to latest v6 build. But as we found out that tunnels are down and we are unable to bring them up. Decision was made to try upgrade to latest version hopefully issue would be fixed. That did not happen.

Output of CLI:

JosephM_0-1687771596745.png

 

2985
0 Kudos
knagaraju
Staff
Staff

Created on ‎06-26-2023 02:29 AM

I understand your concern, Joseph.
This issue needs a remote session to check and troubleshoot. Hence I request you to raise a TAC ticket with us.

2979
0 Kudos
Joseph-M
New Contributor III

Created on ‎06-26-2023 03:22 AM

Ticket were created for FortiSupport.

2958
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.