Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Knox_122
New Contributor

Is Fortinet ADVPN just trash????

I am trying to deploy an ADVPN environment via BGP. In my lab everything works as you would expect it to, but as I start deploying it in the live environment, it just seems to die. I contact Fortinet support, spend a few hours with them and they seem to have no idea why it's failing. 

 

This is what is happening. Once deployed, it works fine, but then after a couple days, it just stops. I run sniffers, and diags. The diags show the traffic trying to go out, but then I get "SA is not ready yet, drop", which means the Phase2 is down. Then for whatever reason it starts working, then again I get "SA is not ready yet, drop", then starts working again, then it stops. Sometimes it just doesn't work anymore until I reload the config in the firewall, but then it'll work for a while and then stop again. This just doesn't happen on one Fortigate. I have 192 fortigates and have deployed this on 52 of them and this issue happens on all of them. Why are the Shortcuts Failing?? I have had Fortinet engineers look over my configs and they say all is correct. 

 

Firmware version 6.0.11 on all Fortigates

 

Is Fortinets ADVPN just trash?????

 

 

Thank you. 

 

id=20085 trace_id=10313 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10313 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10313 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10314 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=192." id=20085 trace_id=10314 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10314 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10314 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10315 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=193." id=20085 trace_id=10315 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10315 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10315 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10316 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=194." id=20085 trace_id=10316 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10316 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10316 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10317 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=195." id=20085 trace_id=10317 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10317 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10317 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10318 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=196." id=20085 trace_id=10318 func=resolve_ip_tuple_fast line=5597 msg="Find an existing session, id-d92598b5, original direction" id=20085 trace_id=10318 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-advpn_1" id=20085 trace_id=10318 func=ipsec_common_output4 line=806 msg="SA is not ready yet, drop" id=20085 trace_id=10319 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=1, 10.20.1.1:25601->10.0.4.1:2048) from local. type=8, code=0, id=25601, seq=197."

1 REPLY 1
amuda
Staff
Staff

Hi @Knox_122 

 

Good day!

 

You might want to refer to this: Traffic getting dropped due to Multiple p... - Fortinet Community

 

Amerul
APAC TAC
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors