After upgrading our FortiGate to v7.4.0 from 6.4.7 (with optional upgrade path 6.4.9 then 6.4.11 ...)
All our IPSEC tunnels are down and phase1 and phase2 are down. At the same time all other config seems to be in place...
We found out that as soon as we choose local gateway "Specify" (our secondary WAN IP) not "Primary IP" the tunnel is down and no communication is happening between our and client FW (all WAN IPs are from one ISPs GW). We can ping clients IP.
Proposals and configuration of P1 and P2 are correct, as I mentioned as soon both sides chooses gateway (our primary IP) tunnel works. Policies are in place, traffic is accesable from both sides when tunnel is up. Routes created.
As I understand there is some misconfiguration or missing setting within FortiGate after upgrade. IPsec tunnel does not work if I choose other WAN as gateway address which means the NAT configuration or something. But at the same time all other resources that are being hosted behind our FW and routed with policies are working.
What could be the possible issues where to look. I tried to find similar issues on forums but no success. Would appreciate any ideas and help.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ticket were created for FortiSupport.
Hello Joseph,
May I know if you have followed the upgrade path while upgrading the firmware?
May I know if it is IPsec site-to-site VPN or IPsec dial-up vpn?
May I know the FortiGate hardware model?
Regards
Nagaraju
Hello knagaraju
We are using FortiGate 60F
As I mentioned in original post. Yes, I did follow the optimal upgrade path for firmware.
6.4.7 - 6.4.9 - 6.4.11 - 6.13 ........
IPsec site-to-site
Hello Joseph.
Thank you for your response.
Please capture the below debugs logs
# diagnose vpn ike log-filter dst-addr4 x.x.x.x
# diagnose debug application ike -1
# diagnose debug enable
Where x.x.x.x is the peer-end public IP.
After the above commands in fortigate cli please try to bring up the tunnel from ipsec monitor.
Regards
Nagaraju.
Just to be clear.
Our goal was to respond CVE-2023-27997
There for we upgraded our firmware to latest v6 build. But as we found out that tunnels are down and we are unable to bring them up. Decision was made to try upgrade to latest version hopefully issue would be fixed. That did not happen.
Output of CLI:
I understand your concern, Joseph.
This issue needs a remote session to check and troubleshoot. Hence I request you to raise a TAC ticket with us.
Ticket were created for FortiSupport.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.