Hi. I am using FortiOS 7.4.2 and I have an L2TP VPN created that is functioning correctly. I configured also an HA cluster with two identical FG80F. When I simulate a link failover over one of the VPN interfaces, the failover of the fortigates is taking place without any issue. I see in the interface that the L2TP VPN remains up an running with the connections intact. Yet, the Windows VPN Client, after the failover, will try to reconnect to the VPN without success. After few seconds the VPN is shut down by the client.
During the failover transition, on the client I can see the VPN IP allocated to the client (ipconfig) yet the routing table is missing the default route for this IP class. In conclusion, the tunnel is up during the transition and few minutes (2-3) after the failover take place, yet the clients cannot access any resources. After 2-3 minutes the client will disconnect. If I manually connect to VPN after that, the VPN is again up an running.
I saw in some other posts that L2TP is supported in HA mode, however the FGCP does not provide session failover.
Can anybody give me more details on this?
I have session-pickup enable in HA, and ha-sync-esp-seqno under the phase1 of the L2TP.
So the final question is: Can I have session failover in HA setup for my L2TP?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
According to FOS 5.6 hadbook, FGCP does not provide session failover for L2TP.
See the below handbook on page 1969.
https://docs.fortinet.com/document/fortigate/5.6.0/fortios-handbook
However I couldn't find any related info for newer version 6.x and 7.x.
I tried to read the explanation from page recommended and I am confused. So, an actual L2TP VPN (dialup) that is using IKEv1, has 3 components: l2tp tunnel, phase1 and phase2.
It seems that Fortigate will synchronize the phase1 and 2 of the vpn (the ones related with IKEv1) , yet cannot do it for L2TP part if the ending of it it is on the failing device (no passthrough to the failing device).
What do you think?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.