Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Abdal_opr
New Contributor

Maintaining IPSEC Tunnel up when No Traffic is Generated

Hello,

 

i have an FG Firewall connected to FortiManager. This FortiGate establishes an IPSEC tunnel with the local Edge firewall. However, when no traffic from clients is generated, the tunnel remains down. I am looking for a method to keep these tunnels up.


Could anyone provide a method to ensure that the IPSEC tunnels between the FG Firewall and the local firewall stay up even when there is no traffic being generated?

 

Thanks!

Abdal

4 REPLIES 4
Babitha_M
Staff
Staff

Hi Abdal,

 

You may use the option Keep Alive in the phase2 configuration. The option is to keep the tunnel active when no data is being processed. Please refer the below link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...


Regards,
Babitha M

Abdal_opr

Thanks for reply, this option is enabled.

 

I want to establish and maintain an IPsec connection between the client on the left side and a proxy server on a VPN client, even when the VLAN interface, where the proxy server resides, is not physically connected to a switch or client that generates traffic. This absence of traffic can lead to the IPsec tunnel going down due to inactivity.

 

I'm looking for a method to keep the IPsec connection active between the client and the proxy server on the VLAN interface, even when there is no real traffic being generated by any connected device:

 

IPSEC_Topology.png

msanjaypadma

Hi @Abdal_opr ,

 

You can try with DPD settings , see If it is helps.

The FortiGate unit provides a mechanism called Dead Peer Detection (DPD), sometimes referred to as gateway detection or ping server, to prevent this situation and to re-establish IKE negotiations automatically before a connection times out:

Reference article:
https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...)
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-the-DPD-effect-on-a-dialup-...

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.

 


Thanks,

Mayur Padma
raven403
New Contributor

Even with Proxy IDs, there still needs to be routes for the remote networks you're trying to reach over the vpn, pointing to the tunnel interface of the vpn. The reason is that though the palo supports proxy-ids like a policy-based tunnel, it's basically a route-based tunnel with proxy-id support.

https://19216801.onl/ https://routerlogin.uno/
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors