After attempting to go from a 100E fortigate on 6.2.7 to a 200F on 6.4.4 our VPN connections stopped functioning properly. I worked with support during the switch and we had the VPNs up and showing as connected, but throughout the night they weren't properly transmitting data. I was wondering if anyone else had similar issues going from 6.2.7 to 6.4.4 and what ended up being the workaround.
Once I reverted back to the 100E on 6.2.7 I didn't experience any connection issues so that leads me to believe the problem is with the new firmware (or firewall) and not an issue with the configuration for the vendors as it happened to all the VPNs.
I did look at the "Technical Tip: IPsec tunnel traffic issues after upgrade to v6.2.4" post to see if there could possibly be relevant information for my situation, but on one of the problem VPNs we already had the workaround in place.
What exactly "weren't properly transmitting data"? We upgraded our 60E with an IPSec from 6.2.10 to 6.4.8 (one step upgrade). Phase1/2-interface config is still the same in CLI and BGP over it is stable. No particular problems we experienced.
Have you tried testing like pinging from a device on one end to the other end for each phase2-selector set, in case you have multiple sets? Depending on that, it could be missing routes or specific phase2 didn't come up somehow. You need to find out what the missing traffic is and what's directly causing it.
Also I would suggest the latest 6.4 to go to, which is 6.4.8 now, unless if you have any specific reasons you can't. You likely need to take multiple steps to get to it though.
You moved to a different unit, not upgrading it. So don't have to take multiple steps.
Also when you went back to 6.2.7, you swapped the FGT backed to 100E. That doesn't tell the problem you experienced was caused by the 6.4.4. You might have (or likely) experienced the same if you loaded 6.2.7 to 200F and configured the same.
6.4.4 has more configuration options for VPNs than what 6.2.7 has so that's why I was thinking something could possibly have gone wrong there. As for pinging, when we try going live again with the 200f, I will give it a go during the testing phase. The VPNs are for two different vendors and we were able to send/receive some of the data we were expecting, but the connections either became unstable or stopped not long after the VPNs connected.
After failed attempts using both our configuration and the configuration the forticonverter service provided us, bypassing our transparent VDOM is what got the VPNs to stabilize. I'm not sure what the exact problem was as our resources looked fine, but I'm assuming something in the VDOM caused some sort of bottlenecking that impacted our IPsec traffic. We're still monitoring the connections, but they have been stabilized for over 12 hours now.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.