Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OptimalPyme
New Contributor

VPN Site 2 Site secondary tunnel fails

Hi to everyone,

 

I have this problem on a FortiGate 60F with firmware 6.4.6.

 

I have a server hosted in Microsoft Azure with which I communicate through an IPSec tunnel configured in the Fortigate following the instructions in this cookbook.

 

As a contingency, I have a second tunnel configured through the WAN interface of the secondary internet line we have in the office, to communicate with my server in case of failure or downtime of the main line. This second tunnel follows the same configuration as the first one.

 

The problem I am having is that, when I set up the first tunnel, it handles traffic and works on my server perfectly. When I raise the second tunnel, after a few seconds I see that the tunnels are still UP in the Forti but suddenly the connection of the first tunnel stops responding (no ping answers and I lose the navigation on the shared folders of the server).

 

I am totally lost and I come to you a bit desperate, could someone help me with this issue?

 

Thank you in advance.

10 REPLIES 10
OptimalPyme
New Contributor

Sorry, 

 

This is the CookBook I mentioned in my previous post.

Debbie_FTNT

Hey OptimalPyme,

it does sound a bit as Graham described, that the second tunnel is interfering with the first. There are configuration options for a dedicated backup VPN tunnel (via CLI only though) - you can set a 'monitor' setting in the secondary VPN's phase1, meaning it monitors the primary VPN, and if that goes down, then it takes over.
Here's a cookbook outlining the backup VPN option:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/432685/manual-redundant-vpn-configurati...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
gfleming
Staff
Staff

Do you have connectivity when only the second tunnel is up? Sounds like maybe the second tunnel is not configured properly and when it comes up it assumes priority and traffic doesn't pass.

Cheers,
Graham
OptimalPyme

Hi,

 

I don't have connectivity when only the second tunnel is up. I had taken your theory into consideration but the configuration is exactly the same as the first tunnel, so I don't understand where the error could be.

gfleming

Where are you terminating the VPN tunnel in Azure? Is it directly on the server/host or on some Azure gateway?

Cheers,
Graham
ConnyGustavsson
New Contributor III

I beleive you cannot use that "simple" design with termination directly to Azure VPN. The Fortigate removes routes for down tunnels and can then send traffic the tunnel that is still up. The command "monitor" in VPN is used to keep second tunnel down until its needed. But Azure have no such simple method; it needs BGP to find the working way back to the customer site. A solution is to deploy a Fortigate VM in Azure, then it will work as you expect.
Some reading:
https://learn.microsoft.com/sv-se/azure/vpn-gateway/vpn-gateway-highlyavailable

cogus
cogus
OptimalPyme
New Contributor

Thank you for the replies.

 

I have a scenario like the first point in the Microsoft article ConnyGustavsson refers to, a S2S VPN against a Gateway in Azure.

 

I have to say that in other companies I have the same scenario and both tunnels work perfectly at all times, this is the only case.

gfleming

You have to figure out why the second tunnel is not working. It could be a number of things from routing, to phase2 config, to firewall policies, etc etc.

 

When you disable tunnel 1 and have tunnel 2 only, what troubleshooting steps have you done to figure out where to problem lies?

Cheers,
Graham
OptimalPyme

This is my problem, I don't know exactly what steps to take to correct the problem, considering that I have followed the same configuration as in the tunnel that works...

Top Kudoed Authors