Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Site to Site IPSec goes one way after random number of days

Last week we deployed a few Fortigate F models (60F and 100F) to replace D models at a few of our branch sites. At each of these sites an HA pair was put in place.


Fortigate to Fortigate route based IPSec tunnels were established and at least 3 times now, we've gotten calls that the systems were down.


  • I was able to log into both ends and the tunnel showed up on both sides.
  • With packet tracers running on each side, I was able to see the following in the trace[ul]
  • Ping from the Datacenter side entered the internal interface
  • Ping egressed the tunnel interface
  • Ping ingressed the tunnel interface on the remote firewall
  • Ping egressed the internal interface on the remote firewall
  • Ping Reply ingressed the internal interface on the remote firewall
  • Ping DID NOT egress the tunnel interface on the remote firewall[/ul][/ul]


    I dropped all Phase 2 on the tunnel and when it came back up the issue would be resolved, until the next time.


    I verified the IPSec configurations match 100% on both sides, so I'm at a loss. Any suggestions?





  • 2 REPLIES 2
    Esteemed Contributor III

    You need to run "flow debug" at the remote FGT to see why the ping replies are dropped there. I think you have plenty time to research how to run flow debug even if you haven't done before (some document, blogs, etc. available) before it happens next time.


  • Ping DID NOT egress the tunnel interface on the remote firewall[/ul]

    just wondering how you saw this? with regular FortiGate diagnose sniffer you only see traffic entering the VPN tunnel in this case i believe, the next place you would see something is on the local firewall.


    diagnose debug flow is worth a try, although i wonder if it will notice this if the traffic does enter the tunnel fine.

  • Labels
    Top Kudoed Authors