Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Niacom
New Contributor

VPN Connection dropping randomly

Hello,

 

I am hoping someone can assist with an ongoing issue we seem to be having.

 

we have a file server that we use a site to site VPN to access remotely, there are 7 remote locations that use the VPN tunnels.  a few weeks ago out of the blue the Fortigate on the file server seemed to drop all the tunnels, we went in and brought them all back up, but since then, 2 of the sites keep dropping.  When we look at the tunnels on each Fortigate they both show as up, but the end users cannot access the shared drives through the VPN, to resolve this, we go onto the file server Fortigate and bring down the tunnel, then bring it back up, run a gpupdate on the PC and it restores, but it seems to happen every couple days. Looking at the logs, this is the client side:

 

negotiate
Notice
progress IPsec phase 2
success
RaneHQ

2024/03/01 11:03:20
negotiate
Notice
progress IPsec phase 2
success
RaneHQ

2024/03/01 11:03:20
tunnel-up
Notice
IPsec connection status change
RaneHQ

2024/03/01 11:03:20
phase2-up
Notice
IPsec phase 2 status change
RaneHQ

2024/03/01 11:03:20
install_sa
Notice
install IPsec SA
RaneHQ
2024/03/01 11:03:20
negotiate
Notice
negotiate IPsec phase 2
success
RaneHQ


2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 2
success
RaneHQ

2024/03/01 11:03:25
tunnel-up
Notice
IPsec connection status change
RaneHQ

2024/03/01 11:03:25
phase2-up
Notice
IPsec phase 2 status change
RaneHQ

2024/03/01 11:03:25
install_sa
Notice
install IPsec SA
RaneHQ

2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 2
success
RaneHQ

2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:03:25
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:03:25
error
Error
IPsec ESP
esp_error
N/A

2024/03/01 11:03:25
delete_phase1_sa
Notice
delete IPsec phase 1 SA
RaneHQ

2024/03/01 11:03:25
phase2-down
Notice
IPsec phase 2 status change
RaneHQ

2024/03/01 11:03:25
tunnel-down
Notice
IPsec connection status change
RaneHQ

2024/03/01 11:03:25
tunnel-stats
Notice
IPsec tunnel statistics
RaneHQ

2024/03/01 11:03:40
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:12:11
negotiate
Notice
progress IPsec phase 1
success
RaneHQ

2024/03/01 11:12:11
tunnel-stats
Notice
IPsec tunnel statistics
RaneHQ

The logs at the file server have a few of this:

2024/03/01 08:16:06
tunnel-stats
Notice
IPsec tunnel statistics
Lockwood

2024/03/01 08:06:05
tunnel-stats
Notice
IPsec tunnel statistics
Lockwood

2024/03/01 07:56:05
negotiate
Notice
progress IPsec phase 2
success
Lockwood

2024/03/01 07:53:13
install_sa
Notice
install IPsec SA
Lockwood

2024/03/01 07:53:13
phase2-up
Notice
IPsec phase 2 status change
Lockwood

2024/03/01 07:53:13
tunnel-up
Notice
IPsec connection status change
Lockwood

2024/03/01 07:53:13
negotiate
Notice
progress IPsec phase 2
success
Lockwood

2024/03/01 07:53:13
negotiate
Notice
negotiate IPsec phase 2
success
Lockwood

2024/03/01 07:53:13
negotiate
Notice
progress IPsec phase 1
success
Lockwood

2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood

2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood

2024/03/01 07:53:12
negotiate
Notice
progress IPsec phase 1
success
Lockwood

2024/03/01 07:53:12
tunnel-down
Notice
IPsec connection status change
Lockwood

2024/03/01 07:53:11
phase2-down
Notice
IPsec phase 2 status change
Lockwood

 

Any guidance as to where to look for failure would be appreciated.

3 REPLIES 3
hbac
Staff
Staff

Hi @Niacom,

 

What is the firmware version of FortiGate? Do you see any errors in VPN Events logs when the issue is occurring? When it is not working, you can collect debug flow as per this article https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

Rajan_kohli
Staff
Staff

Hi @Niacom,

 

Please make sure Auto-Negotiation and Keep Alive is enabled on phase 2 on both sides

 

Regards

Rajan

Rajan Kohli
sbabcock
New Contributor

Did you find a solution to this ?

 

I have this scenario with a number of 60F units on 7.4.3

 

All my VPN's have keep-alive and auto-negotiation ON

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors