I have a main "hub" FortiGate that has more than a dozen other "branch" FortiGates connected to it over individual S2S VPN connections. All of these VPN tunnels are very stable and barely ever drop (and when they do, it is due to the ISP).
I recently added yet another branch FortiGate and nailed up a new S2S VPN for it back to the hub FortiGate. I had no issues establishing the tunnel and traffic passes fine in both directions. The tunnel's Phase1 and Phase2 settings on both ends are identical to the previous tunnels (except of course for the IPs) as well as static routes and IPv4 Policies - all very simple.
The problem we are facing is that just about every 24 hours, the tunnel to the new FortiGate drops and all connectivity between the 2 devices is down for 5 to 10 minutes until a new tunnel is established. We do not have downtime with any other tunnel. The 24-hour timeframe would match our key lifetime setting, but I need help figuring out why this tunnel can't re-negotiate without issue.
Is anyone else having similar issues?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you have any tunnel logs during the tunnel down period ?
NSE7, FMG, FAC, FAZ .
1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
I'm relatively new to FortiGates...are you talking Log & Report -> Events -> VPN Events, or is there a deeper level of logging somewhere I should be looking at?
hi,
it might just be that your remote ISP forces an interruption, as to prevent running a server on that line. For this, the public IP would be dynamic and shuffled anew each night. German Telekom used to do this for years.
If that is the case here, chances are that tunnel traffic leaks to WAN when the VPN is interrupted. If this created a new session, a tunnel-up will not occur instantenuously. You prevent data leakage and provide for the fastest reconnection of IPsec tunnel by installing blackhole routes for your/for all private network ranges.
Have a look, for instance, at this post: https://forum.fortinet.com/tm.aspx?m=120834 for details, and a script file which will install all bh routes for you.
And yes, a tunnel down is an event so the VPN event log should show something.
Hi Ede,
That shouldn't be the case - we have a static IP from our ISP on both ends of the tunnel. I will double-check to be sure that nothing is happening on their end, but I doubt that it is. If I manually rebuild the tunnel (which I've tried), the next tunnel drop moves to just under 24 hours after the time that I re-establish the tunnel (instead of the previous recurring time.
Nick
Yes , during the tunnel down period do this in the cli and post the outpout :
diagnose debug enable
diagnose debug application ike -1
If you have multiple tunnels you could put in a filter on the debug output using :
diagnose vpn ike log-filter <some filter> .
When I am facing these kind of problems I usually change my design to using dialup tunnels setup, but thats a personal preference.
NSE7, FMG, FAC, FAZ .
1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.