Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Tunnel won´t go UP after Cluster Testing


are you ready for my first post in this forum?


So i want to connect a small office to our Headquarter with a VPN IPSec Tunnel. In the small office we have two seperate ISP-connections were we have a FortiGate 30E Active-Passive Cluster.


FortiGate #1 WAN ->ISP-Router #1 LAN4

FortiGate #1 LAN4 ->ISP-Router #2 LAN3

FortiGate #2 WAN ->ISP-Router #1 LAN4

FortiGate #2 LAN4 ->ISP-Router #2 LAN3


So i have done two VPN Connections (VPN#1 and VPN#2. For each ISP Router one connection). The second connection (VPN#2) is defined as a Backup Line with "set monitor VPN#1".


So i have done some redundancy tests.


1. Shutdown the first ISP-Router. After five Pings lost, i had a new connection with the second tunnel.


2. First ISP-Router is down and i will shutdown the active FortiGate. Now the second tunnel can´t get up! I can do pings to the interface of the second router and i can do pings to any adress in internet as well. But no vpn connection will start.


Powering on the first ISP-Router, will start the first tunnel up.


Does anybody can help me with this?


Best Regards




A couple of things to ask to understand your set up:

How you're connecting each other for heartbeat? lan3-lan3?

How the internal devices like PCs are connected to those two 30Es? Via a switch to each lan1?

When FG#1 was shut down, did you see the default route on FG#2 was pointing to WAN? Is it a static default route?


Heartbeat is connected directly lan2-lan2 and via switch lan1-lan1. Priority is lan1 0 and lan2 64.


The internal devices are connecting via switch trough lan1.


Two Default-Routes are set now to WAN and WAN2 (lan4). Distance and Priority are the same on both routes. And this are static routes.


After shutting down FortiGate #1 the only default route is on lan4 to the second ISP Router


If routing table on FG#2 looks normal when FG#1 is shut, you probably need to do a combination of sniffing (diag sniffer packet) and/then flow debug (search engine can find you a bunch of examples and KB articles) to see where those packets from local devices toward the opposite side of the tunnel are trying to go to and why not hitting the tunnel interface to bring it up.

I don't know FG30E has ASIC to off-load, but I'm almost sure policy config takes "set auto-asic-offload disable". Just disable it on both incoming and outgoing policies to make sure sniffing can see all packets.

By the way, I was assuming both units were in-sync when FG#1 was up (get sys ha status), right?


Problem solved! It was´t any Problem of the FortiGate.


The ISP-Router had any Problem with this switch. After replacing them with other Routers, everything is working fine.


Thank you Toshi for your help.

Top Kudoed Authors