Hi everyone! :)

A couple of days ago, I upgraded a client's Fortigate 200F firewall cluster from 7.0.14 due to recent vulnerabilities. The latest recommended version for this model is 7.4.7, but we opted for 7.2.11 instead because of a known bug in 7.4.7 that prevents HTTPS access to the secondary node.

The upgrade itself went smoothly—everything seemed fine, HA was in sync, and all functionalities appeared to be working properly.

However, we ran into issues with their IPsec tunnels:

The tunnels are up and passing traffic, but most services and subnets are unreachable.

Restarting the tunnels didn’t help.

Downgrading to 7.2.10 didn’t fix the issue either.

Downgrading further to 7.0.17—and everything started working normally again.

Possible Causes?

I suspected this might be related to cipher compatibility between versions, but the tunnel appears to be using the correct ciphers, and I’d expect an issue like that to affect the entire tunnel, not just certain services/subnets. Also, 7.0.14 is not that ancient.

One thing I did notice is that the phase-2 selector is configured as a named address group object containing all the subnets. Could that be a problem with these newer versions since I did run into similar issues before when using Named Address Object instead of Subnet for the selector?

I didn’t have much time for deeper troubleshooting, so any insights or ideas would be greatly appreciated!

Thanks in advance! :)