Helpful ReplySite-to-Site Tunnel failing...

Page: 12 > Showing page 1 of 2
Author
FernandoDM
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/04 12:32:52
  • Status: offline
2015/05/05 07:41:12 (permalink) 5.2
0

Site-to-Site Tunnel failing...

Hello, Having issues keeping a VPN Site-to-Site tunnel up..
 
My devices are a FG100D and the remote device is a FG30, both have been updated to v5.2.3 firmware. I set up the site-to-site with the VPN wizard, the VPN tunnel was working for about 3 days and then it stopped.
 
Tried debugging on the near end (Remote end FG30 device is about an hour drive away, I would like to resolve it from this end if possible without having to drive there). In the debug it says: P1_RETRANSMIT about 3 times then goes to a negotiation timeout, deleting... Connection expiring due to phase1 down.
 
Tried setting the VPN interface to IKE V1 and aggressive mode but same result. Set it back to IKE2. Not sure if that is the default because setting up with the wizard does not specify. I figured it would default to IKE V2.
 
Looked at a few forum threads and this one had some interesting commands to restart the VPN tunnel:
 
https://forum.fortinet.com/tm.aspx?m=107918

# execute router restart
# diagnose debug application ike 2
# diagnose debug enable
# diagnose vpn ike restart
 
Any help is appreciated, Thanks!
post edited by FernandoDM - 2015/05/28 12:53:30
#1
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/05 08:36:50 (permalink) ☄ Helpfulby FernandoDM 2015/05/05 09:39:13
5 (1)
Logs, show outputs, & configuration details would be nice, also did you do this in  Route or Policy based, but what I would do. if either party are behind  NAT translation; " than enabled nat-T or deploy ikev2 "
 
2nd config the exact proposals. In fact I would copy the config from  one  FIREWALL and used it at the other side ( just change the interface and address )
 
for the last step, I would copy the one side  phase2 settings and once again swap the src/dst-subnets details
 
lastly, ensure that fwpolicy and a route-exists (  the latter is only for route-base )
 
next, google socpuppet vpn troubleshooting for good t-shoot steps.
socpuppet.blogspot.com/.../site-2-site-routed-vpn-trouble-shooting.html
 

 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
juanchonica
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/04/02 15:31:08
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/18 11:02:25 (permalink)
0
same problem!!!
 
did you find any solution?
#3
FernandoDM
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/04 12:32:52
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/18 11:31:36 (permalink)
0
All of these steps were done on both sides.
 
- I changed the tunnel from a Wizard created Tunnel to a Custom Tunnel.
- In Authentication, changed the IKE to V2..
- In Phase 1 - Setup different Diffie-Hellman groups than the default (make sure it matches both sides) and removed all of the other encryption algorithms except the first one AES128-SHA256.
-In Phase 2 - Went in to Advanced > remove all encryption algorithms except AES128-SHA1. Also changed diffie-hellman group to something other than default (make sure they match on both sides). Put a check in everything below the diffie hellman settings > Local Port/Remote Port/Autokey keep alive/auto-negotiate.
 
It was up for about 5 days and DSL had a blip. This caused the tunnel to go down and it didn't come back up when the DSL was back up. Had to reboot the 30D and the tunnel came back up and it has been up for 5 days now.
 
I don't know if that counts as a fix if you still have to reboot the device every time a DSL line goes down... :/
 
Let me know if you have better luck. Thanks!
#4
FernandoDM
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/04 12:32:52
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/19 07:56:51 (permalink)
0
UPDATE: Uptime was about 5 days, the tunnel went down. Rebooted the 30D and the tunnel came back up.
 
Co-worker said he read a post about a similar issue to mine. The fix was to update the Phase 2 section of the tunnel with the correct local and remote IP subnet information. I updated that information and rebooted the 30D again. Tunnel is up and I am able to connect to the devices on the other side of the tunnel. Just have to wait and see another 4-5 days if it stays up.
 
I guess I should clarify that with the Tunnel Wizard, P2 subnet information defaults to all zeroes. It works but it is not specifically the right information for my IP configuration. I narrowed it down to just the specific IP subnets that we are using and not a generic all zeros.
 
post edited by FernandoDM - 2015/05/19 08:00:04
#5
juanchonica
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/04/02 15:31:08
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/20 16:16:43 (permalink)
0
will try all the above ideas, i will let you know if does it work
#6
juanchonica
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/04/02 15:31:08
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/26 17:17:50 (permalink)
0
it does it work, but i dont know why for some reason constantly is going down and i have to restart the fgt :/
#7
emnoc
Expert Member
  • Total Posts : 5209
  • Scores: 339
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/27 00:38:27 (permalink) ☄ Helpfulby Kess 2015/05/28 06:32:11
0
All zero is not the problem, as long as the remote & local vpn devices are  using 0.0.0.0/0:0 as the same for it's src/dst-subnet than that's okay. And if both devices are fortigate that's okay also.
 
What's probably the issues, you don't have the auto-neg enable under the phase2 settings;
 
 
config vpn ipsec phase2-interface
    edit "sega-p2"
        set phase1name "sega-main"
        set auto-negotiate enable
        set src-subnet 0.0.0.0/0
        set dst-subnet 0.0.0.0/0
    next


I believe you need to check the full cfg from the CLI and you will find the above is set to "disable". Confirm also the keepalives are the same for the SA & enabled
 
e.g ( enabled and set for seconds at 1hour )
 
        set keepalive enabled          <------KAs are enabled
        set keylife-type seconds     <---- lifetime is set for seconds vrs bytes
        set keylifeseconds 3600     <------1 hour
 
Try the above  for both devices and re-monitor and I bet you will have no problems in the future.
 
 
   
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#8
Kess
Silver Member
  • Total Posts : 82
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/11 00:33:23
  • Location: Mendrisio,TI, Switzerland
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/28 06:34:25 (permalink)
0
I have exactly the same problem between a 60D and a VM00.
In order to re-establish the tunnel I need to reboot the 60D. Reboot of the VM00 has no effect.
 
I tried now to modify the cfg with your suggestions on both firewalls. I'll let you know in the next 4-5 days if the problem has been resolved.
 
For the moment, thank you :-)
#9
FernandoDM
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/05/04 12:32:52
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/05/28 10:04:16 (permalink)
0
Still having the issue on my end. Changed PHASE 2 back to all zeroes since it did not have any effect and emonoc mentioned it should not have any relevance.
 
@emonoc - I made the changes back to all zeroes. Added the kelifeseconds and the keylife-type seconds commands. Here is the current config from both sides.
 
config vpn ipsec phase2-interface
edit "100D-VPN1"
set phase1name "100D-VPN1"
set proposal aes256-sha1
set dhgrp 20 16
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
next

config vpn ipsec phase2-interface
edit "30D-VPN1"
set phase1name "30D-VPN1"
set proposal aes256-sha1
set dhgrp 20 16
set keepalive enable
set auto-negotiate enable
set keylifeseconds 3600
next
 
Also I called FortiNet support. The tech said that the upgrade path that I took from firmware 5.0 to 5.2.3 was incorrect. He said I had to format the device and install the firmware from scratch. This explanation sounds hokey to me but in any case, I have a FW30D-POE that I can mess around with and I will try it on that one since it is a spare.
 
Here is the documentation that the support rep gave me: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=10338&sliceId=1&docTypeID=DT_KCARTICLE_1_1
 
post edited by FernandoDM - 2015/05/28 12:48:58
#10
Kess
Silver Member
  • Total Posts : 82
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/11 00:33:23
  • Location: Mendrisio,TI, Switzerland
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/06/07 00:11:07 (permalink)
0
No way...
Tried some other configurations, also tried to switch to classic tunnel style, tried to rebuild the tunnel from scratch on both ends, but after 2-5 days the only way to resolve the issue is to restart the 60D. Restart of the VM00 has absolutely no effect.
 
At that point the only thing I can think about is that Fortinet should watch into that.
#11
Kess
Silver Member
  • Total Posts : 82
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/11 00:33:23
  • Location: Mendrisio,TI, Switzerland
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/06/15 04:44:30 (permalink)
0
Hey guys, did someone find a solution for that issue ?
#12
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/06/15 05:36:24 (permalink)
0
One possible explanation is that when the tunnel goes down traffic is routed out the WAN interface while the tunnel is set up. This session setup is cached so that subsequent traffic follows the default route to the WAN port and not to the tunnel interface.
If there is no traffic to the remote side for a while the session times out and - with the tunnel being up - the next packet traverses the correct route to the tunnel.
This can be easily prevented, as re-iterated in this thread (https://forum.fortinet.com/tm.aspx?m=124305) which refers to an earlier thread. I have supplied a batch command file which defines blackhole routes for all RFC 1912 networks.
If you suspect that this could be the cause, just give it a try. The blackhole routes do not cause harm by themselves.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#13
Kess
Silver Member
  • Total Posts : 82
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/11 00:33:23
  • Location: Mendrisio,TI, Switzerland
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/06/15 05:41:38 (permalink)
0
Hi @ede_pfau
thank you for your reply.
 
I've read your thread in the past, but unfortunately this isn't the solution of my case.
The IPSec tunnel remains in state "Down" even when forcing it to come up again. The only way to re-establish the tunnel is to reboot the 60D device.
 
Thx anyway :-)
Bye Kess.
#14
stukat
Bronze Member
  • Total Posts : 39
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/06/11 06:48:19
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/06/15 08:42:11 (permalink)
0
I am having a similar issue.  My tunnel 60D to 100D drops several times a day but comes back up.  Problem is that my IP phones are over the tunnel.  Also, I had to rollback to DH5.  DH14 worked but phones wouldn't DHCP. DH20 & 21 never worked; tunnel wouldn't come up.  DH5 is below minimum acceptable standards (and it's still dropping constantly anyway). WOndering if it's an issue with the 60D as I've never had a problem with any of my 100D's. 5.2.2GA on all devices.
#15
Holy
Gold Member
  • Total Posts : 168
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/08/07 03:56:56
  • Status: offline
Re: Site-to-Site Tunnel failing... 2015/12/16 06:58:26 (permalink)
0
Hello Guys,
 
having the similar problems with 2x 60D. every 1 - 3 days the Tunnels goes down, the same logs and only a Reboot can bring the Tunnels again.
 
our wan1 is an pppoe and we found yesterday that for that provider we need an mtu size of 1456, we changed the Value and are now hopping that it will save the day.
 
Fortinet Support don´t know either whats going on. Tunnels are up, IKE MEssages are flowing but there is no response..
 
i will report if mtu Size will fix the issue.
 
 
 
#16
TJNIHAL
Bronze Member
  • Total Posts : 32
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/03 03:46:19
  • Status: offline
Re: Site-to-Site Tunnel failing... 2016/03/09 21:38:53 (permalink)
0
Hello Guys,
 
I am facing the same problem with my 60D tunnel goes down frequently only restart make it up.
 
I will be very appreciated if you guys let me know how did you resolve this issue.
 
my current firmware version is V.5.2.6, build 711
 
Thanks in advance,
 
Nihal
   
#17
ksm
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/14 09:31:09
  • Status: offline
Re: Site-to-Site Tunnel failing... 2016/03/14 10:24:03 (permalink)
0
Hi Guys,
 
We have similar issues in our society. Us, with a 60D behind an ORANGE VDSL2 Line, we regurlarly lose our VPN connection to our DC, average once per week. Only way to retrive it, reboot the modem.
 
And on a customer with one 60D on its Headquarter. Since he has a Livebox V3 with the Fiber, All its 3 VPN tunnels are down, average once per week.
 
I have made a lot of tests and debugging, the symptom ( if it is one ) in debug log is always the same phase : P1_RETRANSMIT
 
Actually I have prepared a 60C to replace our 60D to see if we will have a better behavior, because I do not have 90D for now to test. I will keep you informed.
 
But if you have a clue, I will take it too !
 
Support KSM
#18
ksm
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/14 09:31:09
  • Status: offline
Re: Site-to-Site Tunnel failing... 2016/03/14 10:52:27 (permalink)
0
I would like to add that rebooting the FORTIGATE does not fix the issue, only the modem.
 
I will try the MTU thing.
 
Best regards.
 
Support KSM
#19
ksm
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/03/14 09:31:09
  • Status: offline
Re: Site-to-Site Tunnel failing... 2016/04/29 00:34:35 (permalink)
0
Hi,
 
just to close this post. We decided this morning to stop using the ORANGE Line for mounting VPN connection.
 
We changed our fortigate for a 90D 2/3 Weeks ago and this morning, loss of the VPN connection, impossible to remount, even after rebooting Fortigate and modem. Last week the VPN has stopped, like about every 7 days, but a couple of minutes after, it was up alone.
 
After changing the Interface for our other line on Phase 1 both side of VPN tunnel, in a instant, the tunnel was up.
 
So ***** ORANGE Line.
 
JS
 
 
 
 
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5