Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CRE
New Contributor

VPN Phase 2 reconnection issue

Hello Everyone,

I have a strange behavior with 3 of my VPN Tunnels. The Tunnels itself are working fine when the Phase 2 connection is up. Problem I am facing the Phase 2 can only be activated/keept alive from my site. After about 10 minutes without traffic the Phase 2 is disconnected and the Branch is not able to reestablish a Phase 2 connection with my Fortigate. My workaround for the moment is to Ping the Branch every 5 Minutes to keep the Tunnel alive.

I have configured an incoming NAT for the Subnet on my Site and used IP Pools for outgoing traffic to the VPN Tunnel to mask my internal IP addresses.

I have done some Traces and debugging on the VPN but when the Phase2 is disconnected I don't see any incoming traffic from the Branch even if they try to ping my internal Servers, so I don't think it is related to the NAT I do on my site. But I have several other VPNs without NAT and they work fine.

 

We also Enabled Autokey Keep Alive and Auto-negotiate on botch ends. The Firewall in the Branches are Checkpoint and Sonicwall.

Could be a similar Problem to this unsolved issue https://forum.fortinet.com/tm.aspx?m=118085 But none of us is located or connected to AWS

3 REPLIES 3
Iescudero
Contributor II

Hi there CRE!

In phase1 you had Keepalive also? and Dead Peer Detection?

And in phase2, you had (PFS) and replay detection?

 

If the issue still ocurrs, you can set  an Ip address to each tunnel, and configure a link monitor feature, so always have a traffic between sites.

 

emnoc
Esteemed Contributor III

before we go that far do you have auto-negotiate enabled on the phase2? Also are thee policy or route-based vpn?

 

 

e.g

 

 

config vpn ipsec phase2-interface

   edit <FGT2CHKP >

          set auto-negotiate enable

    end

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CRE
New Contributor

Hi

thanks for your reply. Yes auto negotiate is enabled and it is a Policy based VPN.

In Phase 1 I have DPD and Keep Alive Enabled. In Phase 2 PFS and replay dedection is enabled. 

Phase 1 is in State Up all the time. and I can see in the diag debug that phase 1 is kept alive. 

 

The Workaround with Ping Monitor is already in place but in a few months one doesn't remember why this was build.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors