Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Site to site IPSec VPN Tunnel failure on rest...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to site IPSec VPN Tunnel failure on restart
I have a pair of Fortigate 60 3.0 MR7 Patch 2. I have set up a site to site IPSec VPN between them. The tunnel works. If I restart one of the routers then one or both of the routers are unable to bring up the tunnel until the phase 1 keylife expires on the router that didn' t restart. I can edit the phase 1 on the router that didn' t restart then bring up the tunnel from either router.
Debug logs show that one router believes the tunnel is up and the other router believes the tunnel is down. When the tunnels won' t come up the router with the up tunnel refuses to discard the stuck SA. The router with the up tunnel may or may not discard the connection from the router with the down tunnel as unsolicited. The router with the down tunnel never gets a connection attempt because the router with the up tunnel communicates only over the stuck SA. Editing the phase 1 discards the phase 1 SA after which I can bring up the tunnel from either router.
I have other Fortigate routers with a variety of firmware from 2.80 to 3.00 and all have the same IPSec VPN problem.
A short keylife, DPD, auto-negotiate, and autokey keep alive are not acceptable solutions to this problem. I need Fortigate tunnels to be as reliable as Netscreen and Linksys tunnels which don' t have this problem.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DPD, auto-negotiate, and autokey keep alive are not acceptable solutions to this problem. I need Fortigate tunnels to be as reliable as Netscreen and Linksys tunnels which don' t have this problem.So why are these not acceptable solutions? Also, what does your debug vpn shows? When the connection is down?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
#1 First it would be important to understand _why_ the VPN goes down.
#2 I don' t understand why DPD is not a solution. DPD IMHO always is the choice for proper VPN handling. Despite #1, half-dead VPNs are a common problem if not using DPD.
#3 I' d upgrade to MR7_recent patch. (patch2 looks rather old)
-R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
#1 First it would be important to understand _why_ the VPN goes down.The tunnel goes down because there' s a monkey at the controls pressing reset. Why it won' t come up on command until the monkey fixes it by hand is the problem. The real problem is that I have tunnels with real peers that won' t come up several times per week. After manually fixing only able to see one debug log at a time I bought another Fortigate for home so I could see both debug logs and verify that this isn' t a multi vendor problem. There are several distinct problems but the major one I' ve reduced down to this simple demonstration between two Fortigate so others can easily replicate the problem. Why my peers drop the tunnels without notification my logs don' t explain. They won' t admit to or fix anything so they just keeps going down. The Pix 501 that the Fortigate replaced handled whatever problem it is just fine.
#2 I don' t understand why DPD is not a solution. DPD IMHO always is the choice for proper VPN handling. Despite #1, half-dead VPNs are a common problem if not using DPD.Have you watched the debug logs? DPD spams the other router and the debug logs every 10-60 seconds. That would be fine for VPN where the DPD traffic would be dwarfed by the real traffic but my traffic is tiny files a couple of times per day. DPD would account for more than 99.9% of the traffic. Some of my peers do not support DPD and the tunnels won' t work at all if I enable DPD. All other brands I' ve tested recover from a stuck SA without so much as a second try and I' m steadily obtaining more to test. My peers, none of which use Fortigate, think DPD is not needed since none have enabled it. The Cisco Pix 501 that I replaced only produced stuck SA when I made changes and no tunnel had DPD. Why does Fortigate require DPD just to have tunnels that work? DPD is for quickly diverting continuous use high priority traffic down an alternate tunnel when the main tunnel goes down. DPD is not for coaxing functional tunnels from a defective IPSec implementation.
#3 I' d upgrade to MR7_recent patch. (patch2 looks rather old)I have many Fortigate routers with FortiOS versions spanning several years including some very new ones. The behavior is identical. If Fortinet thought there was a problem it would have been fixed by now so they must think it' s not a problem.
So why are these not acceptable solutions?All tunnels failed regularly when I copied the settings over from the Pix. I reviewed documentation and obtained correct keylife from peer admin and this improved many tunnels. I studied the debug logs recorded over several days and discovered that the keylife that they see is not always correct. A tunnel with a Netscreen was supposed to have a 3600 second phase 2 but I noticed in the logs that it was expiring every 3300 seconds. Odd corrections like these made more tunnels reliable. Then I discovered the auto connect options and almost all tunnels were completely reliable. No matter how well I correct the mismatches and how many options I turn on a few tunnels still fail. More options only made them fail less often. With all the options turned on the tunnels fail no less than once per week. Some days I get many calls. The Pix had rock solid tunnels with outrageous keylife mismatches and no special settings. The Fortigate does not even when the keylife is carefully tuned and the settings are maxed out.
Also, what does your debug vpn shows? When the connection is down?The router reboots without notifying the other router that the tunnels are going down. The non rebooted router has an active phase 1 and phase 2. When the rebooted router recovers the non rebooted router continues to send traffic through the orphaned phase 2 SA for the remainder of its life. I can bring down the phase 2 but it won' t come back up. The non rebooted sends phase 2 initiations through the orphaned phase 1 for the remainder of its life. diagnose vpn tunnel flush brings down all phase 2 but does not bring down phase 1. Since Fortinet doesn' t give us observation and control of phase 1 I must edit the phase 1 to destroy all of phase 1 and phase 2 SA. Then the tunnels will come up on request.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,682 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
207 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1707 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.