- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Azure site to site VPN drops when configuring ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure site to site VPN drops when configuring HA
Hi all,
Sorry to bother however I am currently experiencing issues with a HA pair of FortiGate 50E running v6.2.12 build1319 (GA) firmware.
For some reason both units work flawlessly when they are in standalone mode with one unit active at each time with no issues with the site to site VPNs to Azure however when the units are installed in Active-Active or Active-Passive HA mode the site to site VPN is dropped and unable to be established again.
I have performed some diagnostics and I seem to be getting IKEV2 Phase 1 issues however I can't work out why this would be the case only when in HA as the settings input are the same of those on the Fortinet 6.2 cook book for setting up the Azure VPN.
I've made sure all the firewall rules and routes are present for traffic to flow and when in standalone can confirm I am able to access the Azure resources without issue.
Has anyone seen this issue before?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
After some trials and tribulations I have finally resolved this issue.
During out of hours I spent some time swapping the firewalls over regularly to see if one of the units was defective, as it turned out one of the units even when in standalone mode could not seem to connect to the VPN after initation.
I attempted to factory reset the configuration, restore the working configuration from unit 1 to unit 2 but alas to no avail which led me to believe unit 2 had a fault and that the issue was not with the firmware or HA but rather unit 2 itself. I had even tried to re-load the firmware via the web GUI however the unit had to be manually rebooted in order to bring it back online leading me to believe their is a flashing issue somewhere.
As a last ditch effort today I borrowed a serial cable and formatted the firmware on the defective unit and re-loaded the latest firmware from FortiGate via TFTP and as luck would have it this seemed to resolve the issue.
As it stands the unit has now been installed for 4 hrs without issue or dropping of the VPN.
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, thank you for persisting with me on this :)
I've run those commands and got the following back:
id=20085 trace_id=2 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
id=20085 trace_id=3 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
id=20085 trace_id=4 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
id=20085 trace_id=5 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
id=20085 trace_id=6 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
id=20085 trace_id=7 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, FGTIP:500->AzureIP:500) from local. "
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-0000003e, original direction"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
After some trials and tribulations I have finally resolved this issue.
During out of hours I spent some time swapping the firewalls over regularly to see if one of the units was defective, as it turned out one of the units even when in standalone mode could not seem to connect to the VPN after initation.
I attempted to factory reset the configuration, restore the working configuration from unit 1 to unit 2 but alas to no avail which led me to believe unit 2 had a fault and that the issue was not with the firmware or HA but rather unit 2 itself. I had even tried to re-load the firmware via the web GUI however the unit had to be manually rebooted in order to bring it back online leading me to believe their is a flashing issue somewhere.
As a last ditch effort today I borrowed a serial cable and formatted the firmware on the defective unit and re-loaded the latest firmware from FortiGate via TFTP and as luck would have it this seemed to resolve the issue.
As it stands the unit has now been installed for 4 hrs without issue or dropping of the VPN.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Fortigate client based ssl-vpn with saml... 173 Views
- SAML Azure configuration for FortiClient authentication 329 Views
- Wifi cative portal auth with azure... 231 Views
- Phase 2 issues - traffic stops... 391 Views
- Fortigate SAML SSO login with Azure... 630 Views
Labels
-
FortiGate
6,541 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
Customer Service
70 -
FortiToken
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiAuthenticator
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
SSL SSH inspection
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
Schedule
1 -
4.0MR1
1 -
SDN connector
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
FortiManager-VM
1 -
Zone
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.