Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: vpn packet loss
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vpn packet loss
Hello,
I currently own several fortigate 60' s and I am experiencing packet loss in a VPN tunnel. I lose about 1% of my packets. I moved from AES128 encryption to 3DES and that seems to make it more stable but I still lose packets. I also prioritized the traffic on the tunnel. I thought maybe that it could be a ids problem but I have two subnets (SA' s) on the same tunnel and I will lose packets on one but not the other (at least not at the same time.) Is there a setting that may be causing this?
Mike
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
more than likely to be a network problem somewhere, like with your isp. Are both ends of the tunnel fortinets ? check there settings are exact.
other thing you could do is set continuous pings to the firewall at the remote site, and a host at the remote site, and see whether they both drop off or just the vpn one. If they both drop off, its probably your isp connection.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the input but it is definately not the ISP. As I had noted before, I have two separate tunnels terminating on the one link with different subnets. When I constantly ping a node through the tunnels at each subnet I get request timed out on one but not the other. I made some changes to prioritize the tunnel traffic which has improved it somewhat but I still get packet loss every once in a while.
I am wondering if it could be something to do with the way that the fortigate processes ip traffic and that it runs out of resources if there is heavy traffic while end users are browsing the net. I did notice the same thing with Sonicwall firewalls so that is why I choose the Fortigate product line in the end.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But it could be the isp connection at the other end, rather than your end, which would make sense, as the other link is fine.
What happens when there is packet loss ? does the vpn drop ?
You could sniff the external interface for packets destined to the remote firewall during the packet loss, to see whether your end is not getting a response back.
(see cli diag sniff command for usage)
Also what happens if you disable the VPN policy that works, and does the other one then work properly ?.
One last question, is the vpn that works all the time located above the other encrypt rule in the policies ?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The config is such as this. I have one Fortinet 60 with 2 tunnels terminating to the same gateway. I have configured it this way for security reasons.
On one Fortigate 60
The internal interface is subnet 10.10.10.0/24 with an encrypted tunnel to the central gateway.
The DMZ interface is subnet 192.168.10.0/24 with an encrypted tunnel to the same central gateway as above.
Both interfaces do not have protection profiles applied to them.
When I ping both tunnels at the same time, one will get a request timed out where the other one does not. Both tunnels will get a request timed out (about 1 in a 100 pings) but not at the same time.
The VPN does not drop.
I think that answers your questions.
Thanks for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh hang on, when you say two vpns terminating, are you meaning one vpn connection or two to different remote end firewalls (i presumed the latter).
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The config is such as this. I have one Fortinet 60 with 2 tunnels terminating to the same gateway. I have configured it this way for security reasons.
On one Fortigate 60
The internal interface is subnet 10.10.10.0/24 with an encrypted tunnel to the central gateway.
The DMZ interface is subnet 192.168.10.0/24 with an encrypted tunnel to the same central gateway as above.
Both interfaces do not have protection profiles applied to them.
When I ping both tunnels at the same time, one will get a request timed out where the other one does not. Both tunnels will get a request timed out (about 1 in a 100 pings) but not at the same time.
The VPN does not drop.
I think that answers your questions.
Thanks for your help.
Not applicable
Created on ‎05-24-2005 08:33 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also having a pretty similiar problem.
VPN clients connected through Forticlient would hang after sometime so we have to switch to ssh for file transfers.
Why does this happen, really?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the delay, been away working.
Try the following, the more you try together the more chance you have to get it working;
use local id for each end of the tunnel, and only allow that id to connect
use aggressive mode for the vpn settings
use xauth
Start from the top, until you have all three of these set, and it might fix your problem. As i suspect the vpn traffic is getting confused with which vpn to speak to at the other end. (seen a similar problem with multiple dialup entries)
Otherwise, just use one tunnel for both if you can.
Also make sure you dont have NAT enabled on any vpn policies.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for you assistance in this matter.
I have reconfigured it so that both subnets go through the same tunnel. I am still experiencing problems with packets being lost.
If you ask me, I think there is a bug in the firmware.
Mike.
Labels
-
FortiGate
10,495 -
FortiClient
2,131 -
FortiManager
883 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
561 -
FortiClient EMS
551 -
6.0
416 -
IPsec
404 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
125 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
66 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
FortiDNS
44 -
VDOM
44 -
Application control
44 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
FortiAI
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
FortiAIOps
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2534 | |
| 1351 | |
| 795 | |
| 641 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.