In the following printout 'expire=21511/0B' is a countdown to Child SA's key expiry, starting from value specified in Phase 2's 'keylifeseconds' attribute (in my case, 27000).
However, the printout also has a 'timeout=26732/27000' where 26732 doesn't change at all. My question - what does this number represent?
[size="2"]
FGT60D-1 # diagnose vpn tunnel list[/size]
:
proxyid=ToAzureVPNGateway3 proto=0 sa=1 ref=2 serial=26
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:172.16.64.0/255.255.192.0:0
SA: ref=41 options=10024 type=00 soft=0 mtu=1438 expire=21511/0B replaywin=0
seqno=10e03 esn=0 replaywin_lastseq=00000000 itn=0
life: type=01 bytes=0/0 timeout=26732/27000
dec: spi=f1c15bf3 esp=aes key=16 9136fd97fab9c206f27055d082c83414
ah=sha1 key=20 5b69a33bc129346a2018d6fbde9d5bb51693e231
enc: spi=127f9a4c esp=aes key=16 925357d548af93d4fa664653cf3a8e19
ah=sha1 key=20 ea362f3413d292a459939cf8b5f8985b1bc12331
dec:pkts/bytes=100993/51118804, enc:pkts/bytes=84002/31649950
npu_flag=03 npu_rgwy=A.A.A.A npu_lgwy=B.B.B.B npu_selid=19
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Looks like they forgot to update something in diag output. I recommend you open a TT with TAC. If you run "get vpn ipsec tun name ToAzureVPNGateway3", you would see like "lifetime/rekey: 27000/21511".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.