Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
stich86
New Contributor II

Created on ‎01-16-2025 01:42 PM

Strange IPSec behavior with Watchguard

Hello guys,

 

this is my first time working with Fortigate appliance. I’ve a cluster of two F201, with two IPSec tunnel, one with Azure Cloud, and one with an external customer with a WatchGuard firewall. Azure tunnel has no issue (strange :grinning_face_with_sweat:), while the other one has a very particulate behavior. Both of them in IKEv2 with AES256/SHA256.

 

If I start a ping from local to remote side using that tunnel, there is an high packet loss, but after about 40s of pinging the tunnel become stable, until it goes back to idle, and again another 40s and so one. It’s not a phase 2 flapping, because from the diag the SA is up for hours. What I’m missing?


Any help is really appreciated 

 

thanks!

Labels:
353
0 Kudos
7 REPLIES 7
pathofbuilding
New Contributor II

Created on ‎01-16-2025 11:13 PM

your IPSec tunnel to the external WatchGuard firewall is experiencing initial packet loss followed by stabilization, while the Azure tunnel works fine. This could be due to issues like NAT or firewall misconfigurations, MTU or MSS clamping problems causing fragmentation, or route lookup delays on the WatchGuard side. Although Phase 2 is stable, re-keying or intermittent route delays might cause the initial packet loss. I recommend checking the NAT-T settings, verifying MTU/MSS configurations, reviewing the routing and firewall settings, and analyzing the logs for any issues during the tunnel setup phase.

312
0 Kudos
stich86
New Contributor II
In response to pathofbuilding

Created on ‎01-17-2025 12:09 AM

there is no NAT, both firewalls are using public IP. Also MTU\MSS sounds strange because we are talking about smaller packet (64 byte ping).

 

Any suggestion on which debug that I can run on the Fortigate?

 

Thanks!

305
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎01-17-2025 12:13 AM

Hi Stich

Did you try disable ASIC offload for IPsec?

 

config vpn ipsec phase1-interface
  edit phase-1-name
    set npu-offload disable
  end
end

config system global
  set ipsec-asic-offload disable
end

 

AEK
AEK
302
0 Kudos
stich86
New Contributor II
In response to AEK

Created on ‎01-17-2025 12:14 AM

Yes, I've tried but same behaviour

300
0 Kudos
stich86
New Contributor II

Created on ‎01-23-2025 02:38 PM

Just an update.. after change on WireGuard side the tunnel form “domain” to “route” based (but in my side still “domain”), the strange behavior has disappeared…

 

the TAC is still asking useless log.. support is very weird :(

244
dingjerry_FTNT
Staff
Staff
In response to stich86

Created on ‎01-23-2025 03:24 PM

Hi @stich86 ,

 

Not sure what is the "domain" tunnel form.

 

On FortiGate, we have mainly two types:  Policy Based, or Route Based (AKA Interface Based) IPSec VPN tunnel.

Regards,

Jerry
240
0 Kudos
stich86
New Contributor II
In response to dingjerry_FTNT

Created on ‎01-23-2025 03:27 PM

Sorry coming from other firewall vendors, domain = policy :)

236
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.