Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Liza1
New Contributor III

Created on ‎02-04-2025 06:08 AM

VPN Tunnel problem

Hello,

We are experiencing the following issue in our company: we have a FortiGate 60F with a GRE over IPsec tunnel configured between a Cisco router and the FortiGate firewall.

When we checked PRTG, we noticed that the tunnel went down on February 27. Upon investigation, we found that both phases are configured identically, and the configurations are the same on both ends. However, the Interconnect does not establish a connection, and ping does not work.

Could you please help us understand what might be causing this issue? Ping is enabled on the interface, and everything was working correctly before. We have not made any changes on the FortiGate, and as I was informed, there were no changes on the Cisco router either.

Additionally, we switched the tunnel from Tunnel Mode to Transport Mode, but the issue persists.

I would appreciate any recommendations or troubleshooting steps. Thank you very much for your feedback!
FortiGate  #VPN #Ipsec

 

lsamson
lsamson
Labels:
312
0 Kudos
3 REPLIES 3
Dhruvin_patel
Staff
Staff

Created on ‎02-04-2025 06:18 AM

Hello!

 

Please check this document that can help you to troubleshoot the IPSec tunnel connection.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-traffic-not-flowing-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-VPN-diagnostics-Deep-analysis/ta-p/1...

 

Regards!  

Dhruvin Patel
307
0 Kudos
FranceSimão
New Contributor

Created on ‎02-04-2025 09:12 AM

After you check the links and troubleshooting steps provided in the previous reply, one likely cause of the issue could be Dead Peer Detection (DPD) or keepalive issues. If the devices lose connectivity even briefly, DPD might mark the peer as dead, causing the tunnel to drop. Another possibility is that the Internet Service Provider (ISP) may have started blocking or rate-limiting IPsec traffic, especially UDP ports 500 and 4500, which are crucial for IKE negotiations.

It's also worth considering if there was a firmware update on either device that modified default behaviors or security settings. Additionally, an expired IKE/IPsec security association (SA) or certificate (if used) could prevent re-establishing the tunnel. Lastly, hardware issues like overheating or resource exhaustion (CPU or memory) on the FortiGate or Cisco device could be interfering with tunnel stability.

Starting with checking the DPD status, reviewing logs for errors, and ensuring the ISP isn’t blocking necessary traffic would be good initial steps.

274
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎02-04-2025 10:15 AM

Hi @Liza1 ,

 

1) I assume that this issue happened on Jan 27, not Feb 27.

2) We don't have your FGT config, so please confirm it is GRE over IPSec, not IPSec over GRE.

3) If it is IPSec over GRE, please check this KB for troubleshooting:

 

Technical Note: Configure and verify an IPsec over GRE tunnel

https://community.fortinet.com/t5/FortiGate/Technical-Note-Configure-and-verify-an-IPsec-over-GRE-tu...

 

4) If it is GRE over IPSec, please check this KB for troubleshooting:

 

Technical Tip: Configuring and verifying a GRE over an IPsec tunnel

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-and-verifying-a-GRE-over-an-IP...

Regards,

Jerry
266
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.