Hello guys,
this is my first time working with Fortigate appliance. I’ve a cluster of two F201, with two IPSec tunnel, one with Azure Cloud, and one with an external customer with a WatchGuard firewall. Azure tunnel has no issue (strange :grinning_face_with_sweat:), while the other one has a very particulate behavior. Both of them in IKEv2 with AES256/SHA256.
If I start a ping from local to remote side using that tunnel, there is an high packet loss, but after about 40s of pinging the tunnel become stable, until it goes back to idle, and again another 40s and so one. It’s not a phase 2 flapping, because from the diag the SA is up for hours. What I’m missing?
Any help is really appreciated
thanks!
your IPSec tunnel to the external WatchGuard firewall is experiencing initial packet loss followed by stabilization, while the Azure tunnel works fine. This could be due to issues like NAT or firewall misconfigurations, MTU or MSS clamping problems causing fragmentation, or route lookup delays on the WatchGuard side. Although Phase 2 is stable, re-keying or intermittent route delays might cause the initial packet loss. I recommend checking the NAT-T settings, verifying MTU/MSS configurations, reviewing the routing and firewall settings, and analyzing the logs for any issues during the tunnel setup phase.
there is no NAT, both firewalls are using public IP. Also MTU\MSS sounds strange because we are talking about smaller packet (64 byte ping).
Any suggestion on which debug that I can run on the Fortigate?
Thanks!
Hi Stich
Did you try disable ASIC offload for IPsec?
config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
end
end
config system global
set ipsec-asic-offload disable
end
Yes, I've tried but same behaviour
Just an update.. after change on WireGuard side the tunnel form “domain” to “route” based (but in my side still “domain”), the strange behavior has disappeared…
the TAC is still asking useless log.. support is very weird :(
Hi @stich86 ,
Not sure what is the "domain" tunnel form.
On FortiGate, we have mainly two types: Policy Based, or Route Based (AKA Interface Based) IPSec VPN tunnel.
Sorry coming from other firewall vendors, domain = policy :)
User | Count |
---|---|
2101 | |
1185 | |
770 | |
451 | |
344 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.