I am trying to deploy an ADVPN environment via BGP. In my lab everything works as you would expect it to, but as I start deploying it in the live environment, it just seems to die. I contact Fortinet support, spend a few hours with them and they seem to have no idea why it's failing.
This is what is happening. Once deployed, it works fine, but then after a couple days, it just stops. I run sniffers, and diags. The diags show the traffic trying to go out, but then I get "SA is not ready yet, drop", which means the Phase2 is down. Then for whatever reason it starts working, then again I get "SA is not ready yet, drop", then starts working again, then it stops. Sometimes it just doesn't work anymore until I reload the config in the firewall, but then it'll work for a while and then stop again. This just doesn't happen on one Fortigate. I have 192 fortigates and have deployed this on 52 of them and this issue happens on all of them. Why are the Shortcuts Failing?? I have had Fortinet engineers look over my configs and they say all is correct.
Firmware version 6.0.11 on all Fortigates
Is Fortinets ADVPN just trash?????
Thank you.
id=20085 trace_id=10313 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10313 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10313 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10314 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=192." id=20085 trace_id=10314 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10314 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10314 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10315 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=193." id=20085 trace_id=10315 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10315 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10315 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10316 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=194." id=20085 trace_id=10316 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10316 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10316 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10317 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=195." id=20085 trace_id=10317 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10317 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10317 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10318 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=196." id=20085 trace_id=10318 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10318 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10318 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10319 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=197."
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Knox_122
Good day!
You might want to refer to this: Traffic getting dropped due to Multiple p... - Fortinet Community
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.