Hello,
I am hoping someone can assist with an ongoing issue we seem to be having.
we have a file server that we use a site to site VPN to access remotely, there are 7 remote locations that use the VPN tunnels. a few weeks ago out of the blue the Fortigate on the file server seemed to drop all the tunnels, we went in and brought them all back up, but since then, 2 of the sites keep dropping. When we look at the tunnels on each Fortigate they both show as up, but the end users cannot access the shared drives through the VPN, to resolve this, we go onto the file server Fortigate and bring down the tunnel, then bring it back up, run a gpupdate on the PC and it restores, but it seems to happen every couple days. Looking at the logs, this is the client side:
negotiate
Notice
progress IPsec phase 2
success
RaneHQ
2024/03/01 11:03:20
negotiate
Notice
progress IPsec phase 2
success
RaneHQ
2024/03/01 11:03:20
tunnel-up
Notice
IPsec connection status change
RaneHQ
2024/03/01 11:03:20
phase2-up
Notice
IPsec phase 2 status change
RaneHQ
2024/03/01 11:03:20
install_sa
Notice
install IPsec SA
RaneHQ
2024/03/01 11:03:20
negotiate
Notice
negotiate IPsec phase 2
success
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 2
success
RaneHQ
2024/03/01 11:03:25
tunnel-up
Notice
IPsec connection status change
RaneHQ
2024/03/01 11:03:25
phase2-up
Notice
IPsec phase 2 status change
RaneHQ
2024/03/01 11:03:25
install_sa
Notice
install IPsec SA
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 2
success
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:03:25
error
Error
IPsec ESP
esp_error
N/A
2024/03/01 11:03:25
delete_phase1_sa
Notice
delete IPsec phase 1 SA
RaneHQ
2024/03/01 11:03:25
phase2-down
Notice
IPsec phase 2 status change
RaneHQ
2024/03/01 11:03:25
tunnel-down
Notice
IPsec connection status change
RaneHQ
2024/03/01 11:03:25
tunnel-stats
Notice
IPsec tunnel statistics
RaneHQ
2024/03/01 11:03:40
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ
2024/03/01 11:12:11
tunnel-stats
Notice
IPsec tunnel statistics
RaneHQ
The logs at the file server have a few of this:
2024/03/01 08:16:06
tunnel-stats
Notice
IPsec tunnel statistics
Lockwood
2024/03/01 08:06:05
tunnel-stats
Notice
IPsec tunnel statistics
Lockwood
2024/03/01 07:56:05
negotiate
Notice
progress IPsec phase 2
success
Lockwood
2024/03/01 07:53:13
install_sa
Notice
install IPsec SA
Lockwood
2024/03/01 07:53:13
phase2-up
Notice
IPsec phase 2 status change
Lockwood
2024/03/01 07:53:13
tunnel-up
Notice
IPsec connection status change
Lockwood
2024/03/01 07:53:13
negotiate
Notice
progress IPsec phase 2
success
Lockwood
2024/03/01 07:53:13
negotiate
Notice
negotiate IPsec phase 2
success
Lockwood
2024/03/01 07:53:13
negotiate
Notice
progress IPsec phase 1
success
Lockwood
2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood
2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood
2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood
2024/03/01 07:53:12
tunnel-down
Notice
IPsec connection status change
Lockwood
2024/03/01 07:53:11
phase2-down
Notice
IPsec phase 2 status change
Lockwood
Any guidance as to where to look for failure would be appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Niacom,
What is the firmware version of FortiGate? Do you see any errors in VPN Events logs when the issue is occurring? When it is not working, you can collect debug flow as per this article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Regards,
Hi @Niacom,
Please make sure Auto-Negotiation and Keep Alive is enabled on phase 2 on both sides
Regards
Rajan
Did you find a solution to this ?
I have this scenario with a number of 60F units on 7.4.3
All my VPN's have keep-alive and auto-negotiation ON
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.