VPN Site-to-Site between FGT and Cisco FTD

bledian · ‎07-08-2024

Hi community,

We have configured site-to-site VPN between FTD and FGT, the VPN is up and works but suddenly after few days traffic stops from one side even tho VPN is still up, as show0n in the screenshot

The only way to fix is to delete all the configuration from FGT and FTD and reconfigure again.

I would appreciate any kind of help to fix this.

I tried to upgrade FTD and FGT but no the problem is the same.

hbac · ‎07-08-2024

Hi @bledian,

You can try disabling npu-offload and see if it helps. https://docs.fortinet.com/document/fortigate/7.4.4/hardware-acceleration/636026/disabling-np-offload...

Regards,

pdelapena · ‎07-09-2024

Hi @bledian ,

Instead of recreating the tunnels, have you tried just flushing them in FortiGate side?
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-flush-a-VPN-tunnel/ta-p/196631

Try to check if there are differences in the key lifetime for both phase1 and phase2.

While the issue is happening, it is best to do some debugs to understand more what is happening.
CLI session 1 :
diag vpn ike log-filter dst-addr4 x.x.x.x ------------where x.x.x.x is the remote gatewayIP
diag debug app ike -1
diag debug enable

Then open new CLI sessions with sniffer and debug flow commands and do test simulation by pinging from source to destination.
CLI session 2 :
diag sniff packet any 'host <source IP> and host <destination IP> and icmp' 4 0 l

CLI session 3 :
diag debug flow filter saddr <source IP>
diag debug flow filter daddr <dest IP>
diag debug flow filter proto 1
diag debug enable
diag debug flow trace start 100

Regards,

Best regards,
Pau

VPN Site-to-Site between FGT and Cisco FTD

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website