- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Ipsec vpn dial up flapping after 7.2.6
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ipsec vpn dial up flapping after 7.2.6
Hello everybody,
I have a BIG problem and was start when I decide to upgrade my 200F ( Np6 Xlite cpu )at new release 7.2.8.
My scenario is a FGT with multiple a IpSec VPN Dynamic and several SSL VPN Portal .
In the initial version 7.2.3 we had no stability and connection problems. After the update we noticed disconnections after a few minutes and constant instability. We were forced to downgrade at the more stable 7.2.5. Even version 7.2.8 that read in the release notes that the problem had been solved was not a solver of the problem.
We also have several test FWs that have an NP6 process and also on those we have noticed the same problem. ( 300E , 3000D ).
And on these we also put the latest version 7.4.4. with the same result.
Below I show you the typical configuration of a VPN connection:
config vpn ipsec phase1-interface
edit "VPN_XXX"
set type dynamic
set interface "VLAN_7"
set mode aggressive
set peertype one
set net-device enable
set mode-cfg enable
set ipv4-dns-server1 10.12.0.5
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set comments "Vpn YYYYY XXXX"
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "XXXXX_tec_VPN"
set peerid "XXXXXXXX"
set ipv4-start-ip 192.168.197.1
set ipv4-end-ip 192.168.197.99
set ipv4-netmask 255.255.255.0
set ipv4-split-include "Lan_SPLIT"
set domain "XXX.dom"
set save-password enable
set client-keep-alive enable
set psksecret ENC g78ffaAsPKwd1SnS6MclIaecNAvvtHRX8/
next
end
config vpn ipsec phase2-interface
edit "VPN_XXX"
set phase1name "VPN_XXX"
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set comments "VPN: XXXXX"
next
end
We have opened a TAC to Fortinet support for a month now but they still haven't figured out the problem. I hope some of you can help me out.
Regards
Fabio
Fabio
Fabio
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Fabio
Did you try to disable NPU offload?
config vpn ipsec phase1-interface
edit VPN_XXX
set npu-offload disable
end
end
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK,
yes already tried in a Lab's FGT 300E.
config vpn ipsec phase1-interface
edit "VPN_LAB"
set type dynamic
set interface "VLAN_7"
set mode aggressive
set peertype one
set net-device enable
set mode-cfg enable
set ipv4-dns-server1 10.12.0.5
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: VPN_LAB (Created by VPN wizard)"
set npu-offload disable
set wizard-type dialup-forticlient
set xauthtype auto
set authusrgrp "VPN_User"
set peerid "vpnXXXX"
set ipv4-start-ip 192.168.198.5
set ipv4-end-ip 192.168.198.10
set ipv4-netmask 255.255.255.0
set ipv4-split-include "VPN_LAB_split"
set domain "rete.dom"
set save-password enable
set client-keep-alive enable
set psksecret ENC WMlU24fSwys9/
next
config vpn ipsec phase2-interface
edit "VPN_LAB"
set phase1name "VPN_LAB"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set replay disable
set keepalive enable
set route-overlap allow
set comments "VPN: VPN_LAB (Created by VPN wizard)"
next
Fabio
Fabio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Fabio
How often does the flap happen, is there any pattern or it's intermittent?
The tunnel configuration you shared is a remote access FCT tunnel, you can check the following things
1. Is Forticlient is causing the connection termination ?- Check VPN event logs in the firewall
2. Run continuous IKE logs and try to replicate the issue
di vpn ike log-filere dst-addr4 <public ip address of the remote PC>
di de app ike -1
di de console timestamp en
di de en
to disable logs- di de dis
3.take pcap on the wan interface for port 500 and 4500(disable npu for this under phase1)
4. Check if there is any packet loss or DPD failure between Fortigate and remote users
5. Check if rekey in phase 1 or phase2 is causing this issue
6. Check interface level errors
fnsysctl ifconfig <vpn phase1 name>
If error are incrementing - try changing the MTU
config system interface
edit <vpn phase1 name>
set mtu-override en
set mtu 1350
end
end
Amritpal Singh
Created on 07-07-2024 01:46 AM Edited on 07-07-2024 02:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Amrit,
After the update at 7.2.8 we noticed disconnections after a few minutes, always with Forticlient for Win, Mac but not iPhone embedeed vpn client. I repeat in 7.2.3 and now in 7.2.5 in the same configuration we are NO PROBLEMS.
ALL MY TEST are in 300E that is a FGT in LAB , because my 200F is working and in stable release 7.2.5 .
The disconnection definitely avvien from the client because many times on the FGT the connection stays up and sends IKE msg (R-U-THERE) messages even though the client has already gone down, as you can see from this logs:
2024-07-07 10:18:56.433170 ike 0:VPN_LAB_0:14: sent IKE msg (R-U-THERE-ACK): XXX.YYY.208.56:4500->37.182.91.4:57353, len=108, vrf=0, id=e3f027d315cdc2e9/b1237ee594a12a57:9737b84b
2024-07-07 10:19:45.880034 ike 0:VPN_LAB_0: link is idle 53 XXX.YYY.208.56->37.182.91.4:57353 dpd=2 seqno=1 rr=0
2024-07-07 10:19:45.880056 ike 0:VPN_LAB_0:14: send IKEv1 DPD probe, seqno 1
2024-07-07 10:19:45.880124 ike 0:VPN_LAB_0:14: enc E3F027D315CDC2E9B1237EE594A12A5708100501F227E4E7000000600B000024AE0BB43CFC42C486EF61F00577A2BAED67E4675974FE527BB4B6045A6A8D4E4B000000200000000101108D28E3F027D315CDC2E9B1237EE594A12A5700000001
2024-07-07 10:19:45.880140 ike 0:VPN_LAB_0:14: out E3F027D315CDC2E9B1237EE594A12A5708100501F227E4E70000006C23EECE5926346D97C7795BB386AB72941FAFDC1351E0B53400A85E6F68A3D173DC81DCA3D5098D5D10E773C5C7890D4946FB24660ADA5D909442D85F265C3252A1FC12CE18AC59CBE8414A272DA47C58
2024-07-07 10:19:45.880160 ike 0:VPN_LAB_0:14: sent IKE msg (R-U-THERE): XXX.YYY.208.56:4500->37.182.91.4:57353, len=108, vrf=0, id=e3f027d315cdc2e9/b1237ee594a12a57:f227e4e7
2024-07-07 10:20:05.920030 ike 0:VPN_LAB_0: link is idle 53 XXX.YYY.208.56->37.182.91.4:57353 dpd=2 seqno=1 rr=0
2024-07-07 10:20:05.920051 ike 0:VPN_LAB_0:14: send IKEv1 DPD probe, seqno 1
2024-07-07 10:20:05.920117 ike 0:VPN_LAB_0:14: enc E3F027D315CDC2E9B1237EE594A12A57081005019E1C875C000000600B000024885E04CFACBFF5A116494FE9388240B342204CA429634745223F49FAF2168C2F000000200000000101108D28E3F027D315CDC2E9B1237EE594A12A5700000001
2024-07-07 10:20:05.920133 ike 0:VPN_LAB_0:14: out E3F027D315CDC2E9B1237EE594A12A57081005019E1C875C0000006CB9A7E8E4A259D67BA6763A023EF181EDB478F8CF570190FADA260D676162CDAE0C5ED38675AE81744FEC4A32A219AEFA9D5F1E920216A0DB4CEE5D2DF8C8F849CE4E881BD02F0FF10EADCFBB64D9A8FE
2024-07-07 10:20:05.920158 ike 0:VPN_LAB_0:14: sent IKE msg (R-U-THERE): XXX.YYY.208.56:4500->37.182.91.4:57353, len=108, vrf=0, id=e3f027d315cdc2e9/b1237ee594a12a57:9e1c875c
2024-07-07 10:20:25.960032 ike 0:VPN_LAB_0: link is idle 53 XXX.YYY.208.56->37.182.91.4:57353 dpd=2 seqno=1 rr=0
2024-07-07 10:20:25.960053 ike 0:VPN_LAB_0:14: send IKEv1 DPD probe, seqno 1
2024-07-07 10:20:25.960119 ike 0:VPN_LAB_0:14: enc E3F027D315CDC2E9B1237EE594A12A570810050171CEC089000000600B00002406B3516159CDA3C5CCCADDE4DCE1BA503DFFE7FC77EB0294218419D296C4A6A3000000200000000101108D28E3F027D315CDC2E9B1237EE594A12A5700000001
2024-07-07 10:20:25.960135 ike 0:VPN_LAB_0:14: out E3F027D315CDC2E9B1237EE594A12A570810050171CEC0890000006CB358C345DC46718DD1485BF997E5B05A78081FB802821BF620F98616E2587ABB6C7A47B443949E8DFD94448788AB7FA0035D28ED43F2F764251A03D89063B18034EDB8F49E7B3AF15029D6BF8E7DB358
2024-07-07 10:20:25.960156 ike 0:VPN_LAB_0:14: sent IKE msg (R-U-THERE): XXX.YYY.208.56:4500->37.182.91.4:57353, len=108, vrf=0, id=e3f027d315cdc2e9/b1237ee594a12a57:71cec089
2024-07-07 10:20:46.000040 ike 0:VPN_LAB_0: link fail 53 XXX.YYY.208.56->37.182.91.4:57353 dpd=2
2024-07-07 10:20:46.000062 ike 0:VPN_LAB_0: link down 53 XXX.YYY.208.56->37.182.91.4:57353
2024-07-07 10:20:46.000111 ike 0:VPN_LAB_0: deleting
2024-07-07 10:20:46.000154 ike 0:VPN_LAB_0: sent tunnel-down message to EMS: (fct-uid=FB216EF5E0ED563B9AA73056215ACAE9, intf=VPN_LAB_0, addr=192.168.198.5, vdom=root)
2024-07-07 10:20:46.000161 ike 0:VPN_LAB_0: flushing
2024-07-07 10:20:46.000195 ike 0:VPN_LAB_0: deleting IPsec SA with SPI 0f1d017b
2024-07-07 10:20:46.000208 ike 0:VPN_LAB_0:VPN_LAB: deleted IPsec SA with SPI 0f1d017b, SA count: 0
The fnsysctl ifconfig VPN_LAB command doesn't seem to give me any information, as if it doesn't measure the VPN connection:
FortiGate-300E (root) # fnsysctl ifconfig VPN_LAB
VPN_LAB Link encap:Unknown
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0 Bytes) TX bytes:0 (0 Bytes)
Anyway, I tried changing the MTU but to no avail.
config system interface
edit "VPN_LAB"
set vdom "root"
set type tunnel
set snmp-index 46
set interface "VLAN_7"
set mtu-override enable
set mtu 1350
next
Fabio
Fabio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also tried SSL VPN and they don't work either....
Here it is easier...because the web portal is not loaded...and so the connection with the client fails immediately.
I think the 200F and 300E are not devices on which they have tested the new releases properly.. maybe we should buy the new FGTs ?
I would like to know if anyone has tried a release higher than 7.2.5 and with what type of FGT.
Thanks
Fabio
Fabio
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the following logs :
2024-07-07 10:20:25.960156 ike 0:VPN_LAB_0:14: sent IKE msg (R-U-THERE): XXX.YYY.208.56:4500->37.182.91.4:57353, len=108,
vrf=0,
The Fortigate is attempting to check DPD keepalive status , but due to termination of the connection by the forticlient , we are not getting any response. So, I think you can try a different version of the forticlient . If FCT is terminating the connection, I don't think the issue is fortigate
2. For SSLVPN, web portal is not required when connecting from the Forticleint. You can use the full or split tunnel connection
To check the connection logs use the following commands
di vpn ssl debug-filter src-addr4 <public ip of the FCT PC>
di de app sslvpn -1
di de en
This issue has nothing to do with the hardware 200F or 300E as both the devices are capable of working with the latest releases
Amritpal Singh
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
7,241 -
FortiClient
1,429 -
5.2
801 -
5.4
639 -
FortiManager
628 -
FortiAnalyzer
465 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
130 -
6.4
128 -
FortiGuard
117 -
SSL-VPN
111 -
IPsec
111 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
52 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiSandbox
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
LDAP
23 -
FortiConverter
23 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
Authentication
18 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
NAT
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
Virtual IP
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiSOAR
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Admin
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
Zone
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1090 | |
| 892 | |
| 536 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.