- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiAP
- FortiClient
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: RE: VPN Tunnel going down
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Tunnel going down
We have a VPN tunnel set up with another company. They have cisco we have a fortigate 80c. If nobody is actively using the tunnel, all the subnets will go down and I cannot activate them from my side. We have to email their tech and he pings our machine from each subnet and that brings the individual subnets back up. Since I cannot bring the tunnel up from my side, I feel like this is a problem with their config, am I wrong on this? Any suggestions on what the problem could be?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
and welcome to the forums.
No, this is intended behavior: site-to-site VPN tunnels to a different vendor' s gateway will only function with manually opening the tunnels from their side. This is to ensure a close contact and more communication.
Just kidding.
Please have a look at your phase2 configuration. The Quick Mode selectors (a.k.a. proxy settings) must match the remote subnets behind the Cisco. You can use the wildcard ' 0.0.0.0/0' for site-2-site VPNs to another Fortigate but not with other vendors.
The QM selectors filter traffic to only trigger the tunnel setup when intended traffic arrives. Secondly, they are a part of the phase2 negotiations and thus relevant.
Could you give us some more infos on the type of VPN (aggressive, main mode) and if it is a ' dial-in' type or a plain ' site-to-site' setup? The latter requires static gateway public IP addresses on both sides.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
main mode VPN and it' s site to site.
correct me if I am wrong, but I would assume the subnets are correct in phase2 because the tunnel will go up, it just goes down when not being used.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tunnel might go up with traffic from the Cisco side. This doesn' t say anything about the FGT configuration being correct.
Tunnel going down after an idle period can be prevented by the ' auto-key' option. There are 2 places, one for phase1 and one for phase2. And there is another one IIRC in ' conf sys global' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the auto key turned on, but it is kind of pointless as my side cannot bring the tunnel up. Do you know what that option is called in a cisco router?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ask emnoc, he' s Cisco savvy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Did anyone got a solution for this issue?
I am having the same issue also.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ask them to check the order of their crypto MAP entries. Ask them to make sure their Dynamic MAP (Remote accesss VPN map) if they have one is at the end or at least get them to move yours at the top of the list. Like here the number 51 is a MAP which will be processed before MAP 60 :
crypto map EXAMPLE 51 match address vpn_ACLcrypto map EXAMPLE 51 set connection-type bi-directionalcrypto map EXAMPLE 51 set peer xxx.xxx.xxx.xxx crypto map EXAMPLE 51 set ikev1 phase1-mode maincrypto map EXAMPLE 51 set ikev1 transform-set aesshano crypto map EXAMPLE 51 set tfc-packetscrypto map EXAMPLE 60 match address vpn_ACL-IIcrypto map EXAMPLE 60 set connection-type bi-directionalcrypto map EXAMPLE 60 set peer yyy.yyy.yyy.yyy crypto map EXAMPLE 60 set ikev1 phase1-mode maincrypto map EXAMPLE 60 set ikev1 transform-set shastrongno crypto map EXAMPLE 60 set tfc-packets Also ask them to make sure the connection-type is bi-directional. They might have to use "show run all" command.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In a nutshell, the user with the more concise phase2 subnets will be able to open the tunnel. If the FGT has all zeros for phase2 and the Cisco has 192.168.x.x, then 192.168.x.x is contained within 0.0.0.0 and thus will be able to open the tunnel. This is why both sides should match exactly. Now I have seen examples (I am working on one between a FGT60B and my FWF80CM) where the phase2s match and one side cannot bring the tunnel up, but that isn't the normal behavior.
In addition, the setting that keeps the tunnel up is 'set auto-negotiate [enable | DISABLE]'. (Disable is the default) I'm not sure that would work if the FGT is unable to bring the tunnel up from a down state.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- ADVPN with Multi-WAN Without SDWAN 29 Views
- FortiGate with FEX101 IPSec Tunnel flaps 250 Views
- VPN IPSec with SAP 262 Views
- FortiManager serial number change 127 Views
- How do I create IPsec VPN... 139 Views
Labels
-
FortiGate
6,980 -
FortiClient
1,369 -
5.2
801 -
5.4
639 -
FortiManager
607 -
FortiAnalyzer
440 -
6.0
416 -
FortiAP
364 -
5.6
362 -
FortiSwitch
361 -
FortiClient EMS
284 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
169 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
102 -
FortiGateCloud
92 -
SSL-VPN
91 -
FortiSIEM
91 -
FortiCloud Products
86 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
FortiEDR
42 -
Fortivoice
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
FortiAuthenticator
29 -
High Availability
28 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
FortiGate v5.2
19 -
BGP
18 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Web profile
9 -
Application control
9 -
4.0MR2
9 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
IPS signature
5 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
Web rating
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1011 | |
| 837 | |
| 481 | |
| 440 | |
| 141 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.