Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

IPsec VPN disconnection

Hello, I have an IPSec VPN beetwen two Fortigate 50B. The vpn has worked for about ten days. Suddenly the VPN go down, there is nowy to bring it up again. i' m forced to recreate the tunnel from the beginning In the log i found this entry : Link monitor : interface vpn was turned down Do you know anything about this issue? Thanks
13 REPLIES 13
claumakurumure
New Contributor III

Hi There, I was looking for point number 3
hezvo uko
hezvo uko
Carl_Wallmark
Valued Contributor

config vpn ipsec phase2-interface edit <phase2> set auto enable end

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Not applicable

I solved it by using the rocampo solution. Disabling " Dead peer detection" in Phase 1 on both Fortigates. Thanks Francesco
ede_pfau
SuperUser
SuperUser

that' s not a solution but a work-around (as a dear fellow poster pointed out here some time ago). DPD works like this: some sort of ' ping packets' are sent out over the tunnel and are answered by the remote FG. As soon as multiple pings are not answered, the sending FG knows that the tunnel is down. And the remote FG knows (from not receiving requests) that the tunnel is down as well. DPD then discards the SAs involved and tears the tunnel down. From this ' virgin' situation the tunnel can be re-negotiated immediately, either automatically or when receiving the first data packet(s). Now you have noticed that disabling DPD keeps the tunnel up. I conclude from this that the DPD ' pings' (' R-U-there' packets) either don' t come through or some are lost during the transmission. Plus some failure to invoke the automatic tear down and re-negotiation of the tunnel. And this failure has a reason which still is unknown. It could be that apparently DPD is configured on both sides BUT one side didn' t ' take' it, that is, DPD is not active on one side. Then the whole DPD mechanism will fail. Without DPD I cannot imagine that tunnel re-negotiation will be quicker or smoother than with DPD. What do you observe when the tunnel is down now?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors