Hello,
Trying to understand what happened and how to prevent it in the future:
- Running FortiGate-VM in an Azure VM.
- This FG has a custom site-to-site IPSec tunnel to on-prem. This effectively connects the virtual data centre to the on-premises data centre. Tunnel is initiated from Azure.
- Suddenly, the tunnel no longer works. Phase 2 will not go up.
- The first sign of trouble is this:
- A couple of minutes after this, alerts start going off that connectivity has been lost.
- After some trouble shooting, pinging, checking routes, connectivity, rebooting, firmware upgrade, etc. it is determined that Phase 2 simply won't go up. There are timeouts and retries, but no other obvious cause. Config has not changed anywhere, everything else seems to work just fine, it's just this phase 2 that won't work.
- I decide to recreate the tunnel on the originating side, on the FG-VM. Same exact parameters as the previous one, I literally copy / paste everything.
- Voila, tunnel immediately works again.
So:
- It was not a config change issue.
- It was not an actual connectivity issue.
It appears as if that live migration of the VM broke something. My best bet is that there's some persisted entropy, encryption key, salt, or something like that, tied to the hardware or the environment. When the live migration occurred, something stopped working because the environment changed. On physical platforms, coding something that for example uses the MAC key as a "salt" isn't a big deal, as it would never change. But on a VM, it's a problem.
1) Am I right? Or not? Could there be some other explanation as to why a tunnel needs to be re-created? If so what might be the reasons?
2) If I am right, it's now a bug, as this should not happen! VM's can move in all sorts of ways, regardless of the hosting platform (Azure, VSphere, etc.). Can't have a tunnel completely stop working and need to be recreated when a basic virtualization operation occurs.
Any insight would be much appreciated ...
Thanks,
J.F.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello J.F,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello J-F,
I have found this big guide:
You have some topics concerning migration.
Could you please tell me if it helps?
If not, I will continue to find a solution.
Regards,
I had looked at that ... the word "migration" does not feature anywhere in the document, that I could find (i.e. CTRL-F "migration" yields nothing), doing a search for the word on the web version of that doc yielded nothing either. I did the same in a few other documents without any luck.
Can you clarify what topics you saw that cover Live VM Migration?
Thanks,
J.F.
Hello J-F,
In page 13:
It says migrating.
That's migrating between licence types, completely unrelated to Live VM Migration.
I'll try and open a ticket.
Thanks,
J.F.
Thank you J-F and I hope you will have an answer for your questions.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.