Hi to everyone,
I have this problem on a FortiGate 60F with firmware 6.4.6.
I have a server hosted in Microsoft Azure with which I communicate through an IPSec tunnel configured in the Fortigate following the instructions in this cookbook.
As a contingency, I have a second tunnel configured through the WAN interface of the secondary internet line we have in the office, to communicate with my server in case of failure or downtime of the main line. This second tunnel follows the same configuration as the first one.
The problem I am having is that, when I set up the first tunnel, it handles traffic and works on my server perfectly. When I raise the second tunnel, after a few seconds I see that the tunnels are still UP in the Forti but suddenly the connection of the first tunnel stops responding (no ping answers and I lose the navigation on the shared folders of the server).
I am totally lost and I come to you a bit desperate, could someone help me with this issue?
Thank you in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey OptimalPyme,
it does sound a bit as Graham described, that the second tunnel is interfering with the first. There are configuration options for a dedicated backup VPN tunnel (via CLI only though) - you can set a 'monitor' setting in the secondary VPN's phase1, meaning it monitors the primary VPN, and if that goes down, then it takes over.
Here's a cookbook outlining the backup VPN option:
https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/432685/manual-redundant-vpn-configurati...
Do you have connectivity when only the second tunnel is up? Sounds like maybe the second tunnel is not configured properly and when it comes up it assumes priority and traffic doesn't pass.
Hi,
I don't have connectivity when only the second tunnel is up. I had taken your theory into consideration but the configuration is exactly the same as the first tunnel, so I don't understand where the error could be.
Where are you terminating the VPN tunnel in Azure? Is it directly on the server/host or on some Azure gateway?
I beleive you cannot use that "simple" design with termination directly to Azure VPN. The Fortigate removes routes for down tunnels and can then send traffic the tunnel that is still up. The command "monitor" in VPN is used to keep second tunnel down until its needed. But Azure have no such simple method; it needs BGP to find the working way back to the customer site. A solution is to deploy a Fortigate VM in Azure, then it will work as you expect.
Some reading:
https://learn.microsoft.com/sv-se/azure/vpn-gateway/vpn-gateway-highlyavailable
Thank you for the replies.
I have a scenario like the first point in the Microsoft article ConnyGustavsson refers to, a S2S VPN against a Gateway in Azure.
I have to say that in other companies I have the same scenario and both tunnels work perfectly at all times, this is the only case.
You have to figure out why the second tunnel is not working. It could be a number of things from routing, to phase2 config, to firewall policies, etc etc.
When you disable tunnel 1 and have tunnel 2 only, what troubleshooting steps have you done to figure out where to problem lies?
This is my problem, I don't know exactly what steps to take to correct the problem, considering that I have followed the same configuration as in the tunnel that works...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.