Hello everyone,
right now we are having some strange problems regarding a vpn ipsec connection between our gateway and an external host who grants us access to two different networks (2 different customers).
The configuration is pretty simple and straightforward. We are using IKEv2 for authentication and a PSK. Configuration on both sides is obviously the same, because otherwise we wouldnt have a connection. In Phase 2 selectors, instead of having one remote network, I used a named adress which consists of two different networks x.x.x.x/28 and y.y.y.y/28, which represents the networks of our customers/clients.
However for some reason, the network of one of them keeps getting the phase 2 status "down" and the connection is lost. Most of the time when contacting the external host and asking them if they changed anything or did an update, they answer back that they didnt do anything and for some strange reason it always works shortly after they answer..
Can someone give me a reason or some understanding for a vpn connection to be randomly disconnecting and re-establishing itself after a day or some hours? And how can i prove that its not our fault?
How frequently are you getting these errors? Are they coming during the rekey/life-time expire? If not, can you check if there is a notification/error coming from peer on the VPN events/logs? If the notification is coming from them before the rekey, the most possible reason is that something changed on their side. This is just my thought, lets see if anyone else got better idea.
I get them really frequently. Last time it worked was friday. The day before it went down. Sometimes it works for a week or two. Then it keeps going down for a day or two again.
I looked a bit into the VPN event log and im seeing the following multiple times:
Action;Status;Message
negtotiate, success, prograss IPsec phase2
negotiate success negotiate IPsec phase2
install_sa install IPsec SA
delete_ipsec_sa delete IPsec phase 2 SA
Why does the SA keep getting deleted after successfully being established? I think this could be the reason why the status is not going to "Up". Im using version 7.0.12 as firmware btw.
These messages don't share any details than confirming the tunnel is going down. Could you please confirm if Auto-negotiation is enabled under the phase 2 settings? If not, can you enable them as suggested in below article and monitor.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...
This will help us to eliminate if the tunnel is going down due to inactivity.
No Auto-Negotiation was disabled. I enabled that and one day later the tunnel was up. However, one weekend later and it was down again. After speaking with the other party, they found out, that I have NAT settings they did not configure. After also configuring them (to keep it exactly the same), it suddenly worked. After that we agreed on watching the connection for a couple of days and creating another meeting in case of new problems arising. Surprise Surprise, this morning the other network, lets say network A, was not reachable (normally its always Network B ending up down). Phase1 is always up and the other gateway is reachable. The VPN Event log shows no really good information except that you see that it ended up failing or losing connection, but without any hint on WHY the tunnel suddenly went down.
If you don't have another clue I will hope on getting one in the next meeting with out partner.
Hi @jk1,
Is it a site to site VPN between FortiGate and a third party device? If you are using named address on FortiGate for phase2 selectors, it should be the same on the other side as well. Please also make sure that key lifetime of phase1 and phase2 are the same on both sides.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.