- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange IPSec behavior with Watchguard
Hello guys,
this is my first time working with Fortigate appliance. I’ve a cluster of two F201, with two IPSec tunnel, one with Azure Cloud, and one with an external customer with a WatchGuard firewall. Azure tunnel has no issue (strange :grinning_face_with_sweat:), while the other one has a very particulate behavior. Both of them in IKEv2 with AES256/SHA256.
If I start a ping from local to remote side using that tunnel, there is an high packet loss, but after about 40s of pinging the tunnel become stable, until it goes back to idle, and again another 40s and so one. It’s not a phase 2 flapping, because from the diag the SA is up for hours. What I’m missing?
Any help is really appreciated
thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your IPSec tunnel to the external WatchGuard firewall is experiencing initial packet loss followed by stabilization, while the Azure tunnel works fine. This could be due to issues like NAT or firewall misconfigurations, MTU or MSS clamping problems causing fragmentation, or route lookup delays on the WatchGuard side. Although Phase 2 is stable, re-keying or intermittent route delays might cause the initial packet loss. I recommend checking the NAT-T settings, verifying MTU/MSS configurations, reviewing the routing and firewall settings, and analyzing the logs for any issues during the tunnel setup phase.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is no NAT, both firewalls are using public IP. Also MTU\MSS sounds strange because we are talking about smaller packet (64 byte ping).
Any suggestion on which debug that I can run on the Fortigate?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stich
Did you try disable ASIC offload for IPsec?
config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
end
end
config system global
set ipsec-asic-offload disable
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've tried but same behaviour
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an update.. after change on WireGuard side the tunnel form “domain” to “route” based (but in my side still “domain”), the strange behavior has disappeared…
the TAC is still asking useless log.. support is very weird :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @stich86 ,
Not sure what is the "domain" tunnel form.
On FortiGate, we have mainly two types: Policy Based, or Route Based (AKA Interface Based) IPSec VPN tunnel.
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry coming from other firewall vendors, domain = policy :)
