Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bledian
New Contributor

Created on ‎07-08-2024 08:57 AM

VPN Site-to-Site between FGT and Cisco FTD

Hi community,

 

We have configured site-to-site VPN between FTD and FGT, the VPN is up and works but suddenly after few days traffic stops from one side even tho VPN is still up,  as show0n in the screenshot

The only way to fix is to delete all the configuration from FGT and FTD and reconfigure again.

I would appreciate any kind of help to fix this.

I tried to upgrade FTD and FGT but no the problem  is the same.

 
 

site-to-site issue.png

Labels:
326
0 Kudos
2 REPLIES 2
hbac
Staff
Staff

Created on ‎07-08-2024 09:08 AM

Hi @bledian,

 

You can try disabling npu-offload and see if it helps. https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/636026/disabling-np-offload...

 

Regards, 

319
0 Kudos
pdelapena
Staff
Staff

Created on ‎07-09-2024 07:22 PM

Hi @bledian ,

Instead of recreating the tunnels, have you tried just flushing them in FortiGate side?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-flush-a-VPN-tunnel/ta-p/196631

Try to check if there are differences in the key lifetime for both phase1 and phase2.

While the issue is happening, it is best to do some debugs to understand more what is happening.
CLI session 1 :
diag vpn ike log-filter dst-addr4 x.x.x.x ------------where x.x.x.x is the remote gatewayIP
diag debug app ike -1
diag debug enable

Then open new CLI sessions with sniffer and debug flow commands and do test simulation by pinging from source to destination.
CLI session 2 :
diag sniff packet any 'host <source IP> and host <destination IP> and icmp' 4 0 l

CLI session 3 :
diag debug flow filter saddr <source IP>
diag debug flow filter daddr <dest IP>
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 100

Regards,

Best regards,
Pau
240
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.