Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

IPsec VPN disconnection

Hello, I have an IPSec VPN beetwen two Fortigate 50B. The vpn has worked for about ten days. Suddenly the VPN go down, there is nowy to bring it up again. i' m forced to recreate the tunnel from the beginning In the log i found this entry : Link monitor : interface vpn was turned down Do you know anything about this issue? Thanks
13 REPLIES 13
rwpatterson
Valued Contributor III

Is one of the end points dynamic DNS entry? If so the IP address may have changed, and the far end wasn' t aware of this change. The only way I know to fix that (as it occurs) is to change the address on the static end, then reassign the same DYNDNS name. The FGT will refresh the DNS entry and the tunnel should wake up once again. Newer versions of code take care of this relatively seamlessly. Hope that helped.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
SuperUser
SuperUser

My first thought was " no dead gateway detection" . Here over in Tika-Tuka-Land Germany we build a lot of DynDNS VPNs. And to make things more interesting, the ISPs lease out public IPs for 24 hours only. So your tunnel will break once in 24 hours 100% of the time. Without hello packets/ping targets on the originating side you couldn' t run VPNs here. @Francesco: maybe you could get the " VPN Guide" from docs.fortinet.com for your FortiOS version and have a look at the phase1 parameters, especially DPD and NAT keepalive.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

24 hours? Yuck! We get about 30 days per lease here on Long Island...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
SuperUser
SuperUser

everything is bigger and better in the States... My remark is true for ADSL dial-up internet access only - which is the most common line type here. It' s meant to prohibit running servers on DSL lines. If you want to you can get ' business grade' SDSL lines with fixed public IPs. Price will be ~10x compared to ADSL.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable

Thanks for your answers. It' s not a dydns problem, both IP address are static IP. When the link goes down, the only way to reconnect is to reconfigure the VPN Im' using a route based VPN.
rwpatterson
Valued Contributor III

What firmware versions are on the units?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

ORIGINAL: rwpatterson What firmware versions are on the units?
FG1 : 4.0 build0192,091222 MR1 Patch 2 FG2 : v4.0.3,build0106,090616 Now i got this error : date=2010-10-15 time=18:30:00 devname=FGT50B3G10604703 device_id=FGT50B3G10604703 log_id=0101037136 type=event subtype=ipsec pri=error fwver=040002 vd=" root" msg=" IPsec DPD failure" action=" dpd" rem_ip=xxx.xxx.xxx.xxx loc_ip=192.168.1.2 rem_port=54452 loc_port=4500 out_intf=" wan1" cookies=" 764d8cb6892b2f56/78759777a1a42235" user=" N/A" group=" N/A" xauth_user=" N/A" xauth_group=" N/A" vpn_tunnel=" phase1" status=dpd_failure
rocampo
New Contributor

Try to disable " Dead peer detection" in Phase 1 on both Fortigates.
ede_pfau
SuperUser
SuperUser

3 ideas: 1. as I see it the tunnel is dropped (for whatever reason - maybe there is noise on the line and 1 packet is lost -> tunnel re-negotiation) AND the other side is not aware of it. If the remote end still has " tunnel up" it will refuse to negotiate a new SA. The feature to assure that the tunnel is dropped on both ends is DPD. It will send hello packets (pings) over the tunnel, and will tear down the SA if they are not answered (in debug: ' R-U-there' ). Make sure that DPD is active on both ends. 2. There is another option called ' NAT keepalive' which will keep the session alive in the NAT table IF the tunnel crosses one or more NAT devices - which is not always the case. I' ve never had to tweak this setting yet. It will only come into play if there is no payload traffic at all over the tunnel for a couple of minutes. 3. from the CLI, there is one other option called " auto-negotiate" . It is used to bring the tunnel up at all times even if there is no traffic. Normally, the first packet(s) will trigger the SA nego and tunnel buildup. With this parameter enabled, the Fortigate will establish the tunnel immediately. (Rarely used IMHO.) Anyway, have a good reading in the IPSec VPN Guide. The documentation has vastly improved over the year and the Guide has many common examples and explains the parameters in detail. If you follow the text closely you will even find all the mismatches/errors between text and diagrams (when I do I send a mail to docs@fortinet.com and they' ll correct it pretty soon).
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors