Hey,
Perhaps someone can assist me or guide me in the right direction. I've been trying to resolve an issue with one of my S2S VPNs for a week.
I have three Fortigates: one 600F and two 400Fs. The 600F has an S2S VPN with both 400Fs, and both ends have the same configuration. All of them are still running on Firmware 6.4.15.
My problem:
When I ping or SSH between the 600F and one of the 400Fs through the tunnel, I experience 10-15% packet loss. This results in very slow transfer rates and even causes CLI inputs to come through in waves. When I check the packets with a ping, I see that everything is sent, and replies are sent back, but some packets are just missing on the source firewall. With SSH, I observe retransmissions, TCP duplicate acknowledgments, and TCP previous segment not captured errors.
The exact same configuration with the other 400F works perfectly fine without any issues.
If I ping and SSH over the WAN interfaces instead of the S2S tunnel, it also works without issues. Therefore, I believe the problem lies with the VPN, but I am currently stuck at this step.
In these tests, I am trying to establish a stable connection between a interface IP of the 600F and the 400F directly, or vice versa.
Maybe I'll get lucky, and someone will have an idea or know of a known bug in the firmware.
Thanks in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you run the following commands on both the FortiGate at the same time and initiate continuous ping traffic:
dia sniffer packet any "host x.x.x.x and icmp" 4 0 l
x.x.x.x is the IP address of your source, you can use the same IP on both sides as long as there is no NAT enabled on the firewall policy.
Once you start seeing the packet drops on the endpoints, can you verify the dropped pings are reaching any on the FortiGate?
Please provide the output from both the FortiGate here.
Okay.
The last time I checked, I was still in the office around 6 PM. Now it's 11 PM. I tried to recreate the issue, and it's gone. I just sent 200 pings through, and all 200 worked. SSH is working smoothly. The ping times have decreased from 40ms to 6ms.
However, there was no significant load on the line all day. The CPU was at 1% load, RAM at 30%, and the WAN interface, which is 1 Gbps on both ends, had a load of 1.5 MB/s all day long.
The test from WAN to WAN also decreased from 40ms to 6ms. So, it's probably the internet connection on the remote site, I guess?
It could be internet connection; as you have mentioned the hardware performance, which looks within the normal range. If you have observerd packet loss on multiple devices, then it could be related to the ISP on either side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.