IPsec site to site

nwd · ‎04-12-2023

IPsec site to site phase 1 & 2 up but daily no traffic passing until disable and enable the tunnel

nwd · ‎04-12-2023

The traffic flows fine between the two sites, until next morning, it stops and when i ping from one side to another i get timeout until i disable the tunnel and enable it back

srajeswaran · ‎04-12-2023

Do you have the auto-negotiate option enabled? Also, can you try increasing the idletime to more than a day and check?

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Set-the-FortiGate-unit-to-bring-up-IPSec-V...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

nwd · ‎04-13-2023

i have tried it, but same issue

the fortinet support suggested that I make it disable, but same issue.

srajeswaran · ‎04-13-2023

Can you confirm the life times are same on both sides? can you check the SPI values on both gateways during the time of issue? May be they are not matching for some reasson ?

"diagnose vpn tunnel list name <Name of IPsec Tunnel>:" can get us the SPI values

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

nwd · ‎04-13-2023

HQ:

diagnose vpn tunnel list name R-HQ-R
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=R-HQ-R ver=1 serial=6 102.68.131.50:0->102.68.134.34:0 dst_mtu=1500
bound_if=48 lgwy=dyn/0 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=34 ilast=0 olast=0 ad=/0
stat: rxp=43566 txp=66552 rxb=10510559 txb=17090303
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=2365
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=R-HQ-R proto=0 sa=1 ref=60 serial=4 auto-negotiate
src: 0:192.168.100.0/255.255.255.0:0 0:192.168.110.0/255.255.255.0:0 0:192.168.10.0/255.255.255.0:0
dst: 0:192.168.103.0/255.255.255.0:0 0:172.16.35.0/255.255.255.0:0
SA: ref=3 options=18207 type=00 soft=0 mtu=1438 expire=38458/0B replaywin=2048
seqno=103f9 esn=0 replaywin_lastseq=0000aba2 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42928/43200
dec: spi=4d065a58 esp=aes key=16 170b2e5753bdc40d5244e28cd89b08bb
ah=sha1 key=20 66ca4702778175d833dd1cf408724786f199b40a
enc: spi=66fba463 esp=aes key=16 a2b044b3010938f407f19b5db18b22f9
ah=sha1 key=20 7dca9163c9d17907331fa17fe68166fc00477f04
dec:pkts/bytes=87132/21021118, enc:pkts/bytes=132975/38390747
npu_flag=00 npu_rgwy=102.68.134.34 npu_lgwy=0.0.0.0 npu_selid=18 dec_npuid=0 enc_npuid=0
run_tally=1

Branch:

diagnose vpn tunnel list name R-103-R
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=R-103-R ver=1 serial=4 102.68.134.34:0->102.68.131.50:0 dst_mtu=1500
bound_if=9 lgwy=dyn/0 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=124 ilast=0 olast=0 ad=/0
stat: rxp=44902 txp=44552 rxb=11111938 txb=10804273
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=809
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=R-103-R proto=0 sa=1 ref=62 serial=4 auto-negotiate
src: 0:192.168.103.0/255.255.255.0:0 0:172.16.35.0/255.255.255.0:0
dst: 0:192.168.100.0/255.255.255.0:0 0:192.168.110.0/255.255.255.0:0 0:192.168.10.0/255.255.255.0:0
SA: ref=3 options=18207 type=00 soft=0 mtu=1438 expire=38387/0B replaywin=2048
seqno=ae09 esn=0 replaywin_lastseq=00010786 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=66fba463 esp=aes key=16 a2b044b3010938f407f19b5db18b22f9
ah=sha1 key=20 7dca9163c9d17907331fa17fe68166fc00477f04
enc: spi=4d065a58 esp=aes key=16 170b2e5753bdc40d5244e28cd89b08bb
ah=sha1 key=20 66ca4702778175d833dd1cf408724786f199b40a
dec:pkts/bytes=89804/22223876, enc:pkts/bytes=89077/24412084
npu_flag=00 npu_rgwy=102.68.131.50 npu_lgwy=102.68.134.34 npu_selid=10 dec_npuid=0 enc_npuid=0
run_tally=1

nwd · ‎04-13-2023

I have two tunnels from HQ to Branch, the HQ has two ISP and the Branch has one ISP.

so when the issue accure, I disable the frist tunnel and the traffic start to flow over the second one.

the IPsec tunnels has defferent administrative distances.

one more thing, when I disable the tunnel from the Branch it does not affect the traffic, but when I disable it from the HQ it flips to second tunnel and the traffic start to flow.

srajeswaran · ‎04-13-2023

Can you share the "get router info routing-table details x.x.x.x" from the HQ.
x.x.x.x is the subnet on branch.

Also, share the same from Branch towards HQ.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

nwd · ‎04-13-2023

HQ:

get router info routing-table details 192.168.103.0/24

Routing table for VRF=0
Routing entry for 192.168.103.0/24
Known via "static", distance 15, metric 0
10.10.20.2, via TO-103D-SKY distance 0

Routing entry for 192.168.103.0/24
Known via "static", distance 10, metric 0, best
* 10.10.10.2, via R-HQ-R distance 0

Routing entry for 192.168.103.0/24
Known via "static", distance 254, metric 0
directly connected, Null distance 0

Branch:

get router info routing-table details 192.168.100.0/24

Routing table for VRF=0
Routing entry for 192.168.100.0/24
Known via "static", distance 15, metric 0
10.10.20.1, via TO-HQ-SKY distance 0

Routing entry for 192.168.100.0/24
Known via "static", distance 10, metric 0, best
* 10.10.10.1, via R-103-R distance 0

Routing entry for 192.168.100.0/24
Known via "static", distance 254, metric 0
directly connected, Null distance 0

srajeswaran · ‎04-13-2023

Route config looks fine, but we don't know whats the route state when the problem is happening. Can you configure route monitoring as described in following article.

We can configure it on both branch and HQ for both routes.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Selective-route-removal-using-link-monitor...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.