Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BryanS
New Contributor

Created on ‎04-03-2019 04:47 PM

Redundant VPN config help

Hello all, have a VPN project and having a problem.  Almost got it though...

 

I have a 200E and a test 60E at a remote site

 

I want to set up a VPN between the 2 sites, but have redundancy for the 200E if an ISP goes down at the 200E location.

 

200E config:

 

WAN1 - ISP1

WAN2 - ISP2

 

Primary VPN on WAN1 - working   10/0

Backup VPN on WAN2 - not working on failover  20/0

 

link-monitor configured on both WAN1 and WAN2

 

60E config:

 

WAN1 - ISP1 (only 1 ISP here)

 

Primary VPN on WAN1 - Connects fine to primary on 200E to WAN1  10/0

Backup VPN on WAN1 - Would connect to the WAN2 IP of the 200E  20/0

 

link-monitor running on WAN1 (only to match configs of FGs)

 

If I software disable WAN1 or pull the Eth out of WAN1 -- Internet switches over to WAN2, no downtime.

 

200E primary VPN was working perfectly. After WAN1 goes offline, drop in vpn traffic seen but Backup VPN does not come online.  I can see phase 1 success messages for backup VPN, but no traffic passes or tunnel showing online.

 

What am I missing?

3828
0 Kudos
4 REPLIES 4
mahesh_secure
Contributor

Created on ‎04-04-2019 01:14 AM

Hi

 

please share the below command output

 

diag vpn ike log filter name <phase1-name> diag debug app ike -1 diag debug enable

 

Regards

Mahesh

2135
0 Kudos
BryanS
New Contributor
In response to mahesh_secure

Created on ‎04-04-2019 01:37 PM

mahesh p mohan wrote:

Hi

 

please share the below command output

 

diag vpn ike log filter name <phase1-name> diag debug app ike -1 diag debug enable

 

Regards

Mahesh

Here was the output:

 

 

 Connected FG200 # diag vpn ike log filter name H 

FG200 # diag debug app ike -1Debug messages will be on for 20 minutes. 

FG200 # diag debug enable 

FG200 # ike 0: cache rebuild doneike 0: cache rebuild done

ike 0:H_Backup: auto-negotiate connectionike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.

ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connectionike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.

ike 0: cache rebuild doneike 0: cache rebuild done

ike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike change cfg 1  interface 0 router 0 certs 0  <Manual disable of WAN1 here>ike 0: cache rebuild done

ike 0: HA syncing disabled

ike 0:H: local-addr 173.xx.xx.xxike 0:H: oif 17ike 0:H_Backup: local-addr 67.xx.xx.xxike 0:H_Backup: oif 18

ike 0:RemoteMacOS: local-addr 173.xx.xx.xx

ike 0:RemoteMacOS: oif 17ike 0: policy 2 disabled, ignoring

ike 0: policy 11 disabled, ignoringike 0:internal: add addr 10.xx.xx.0-10.xx.xx.255ike 0: policy 13 disabled, ignoring

ike 0:H: schedule auto-negotiateike 0:H_Backup: schedule auto-negotiate

ike config update doneike 0: cache rebuild done  <ALL VPN DOWN AT THIS POINT, Backup not connecting>

ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild done

ike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0:H: carrier downike 0: cache rebuild doneike 0: cache rebuild doneike 0:H: auto-negotiate connection

ike 0:H: created connection: 0x1429dbf0 17 173.xx.xx.145->73.xx.xx.xx :500.

ike 0: cache rebuild doneike 0: cache rebuild done

ike 0:H_Backup: auto-negotiate connection

ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500. 

2135
0 Kudos
mahesh_secure
Contributor
In response to BryanS

Created on ‎04-05-2019 11:54 PM

Hi,

 

Did you reproduce the issue when taken the log ?

 

policy 2 ,11 and 13 related to vpn ?

share the below log

 

config firewall policy

edit 2

show

next

edit 11

show

next

edit 13

show

end

 

Regards

Mahesh

 

2135
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎04-11-2019 07:00 AM

hm I do it this way here:

 

WANs are on WLLB/SDWAN with connectivity checks

There is two tunnels which are always up (execpt if one ISP fails of course).

I have static routes for the subnets I want to reach ovr the vpn (and vice versa if needed).

These routes are redundant - there is one for each vpn. They have the same distance but different priorities. 

Then there is policies for the subnets I need to reach or need to reach me. These have to be redundant too. One or each vpn.

 

This leads to this:

 

the tunnel that has the lowest routing prio will be used primary. If that goes down the route with the next higher prio will be used to route the traffic.

 

This works fine here in 20 locations and 1 central :)

 

hth

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2135
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.