udp_flood from from our IPSec Tunnel

Robert_Brumm · ‎03-20-2024

While troubleshooting a VPN problem, I noticed a lot of udp_flood entries from the other side of the tunnel. The Source IP listed is ours. I changed the policy from block to detect for now, but I can't find a reason for all this traffic. We have 3 other IPsec tunnels that are pretty much identical, but this is the only Fortigate having this occurrence.

Source and destination port 4500. Service is IKE.

johnathan · ‎03-20-2024

Just a false positive. When you have NAT Traversal enabled on your tunnel, it will use UDP port 4500.
It is recommended to exclude either the remote side's Public IP, or port 4500 from the DOS Policy.

See this document: https://community.fortinet.com/t5/Customer-Service/Technical-Tip-DoS-policy-can-cause-slowness-in-tr...

Robert_Brumm · ‎03-20-2024

Yes, NAT Traversal is on by default so I never paid it much attention and I don't know if we should use it or not. I'm still confused if all 4 of our tunnels have NAT Traversal enabled, why this is only happening on one of our Gates.

johnathan · ‎03-20-2024

NAT-T is usually fine to leave on. Your traffic probably just so happen to match the characteristics your DOS policy is looking for; e.g amount of pkts. in a specific timeframe.