- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Freezes on the IPsec Sito to Site
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Freezes on the IPsec Sito to Site
Hello,
we have a 200D in HQ and a lot of 60D branches all with IPsec Sito to Site connected in Hub and Spoke.
now we issue a 3 - 4 times in a day that the Tunnel do freeze (for example i see it if i am on the RDP Connection and the connection get lost and retries to do the Session and after 3- 4 Times the session is UP again.) The tunnel is always UP and i see no Errors in the Logs.
Do someone had similar strange behavior? its pretty annoing..
NSE 8
NSE 1 - 7
Solved! Go to Solution.
NSE 8
NSE 1 - 7
Labels:
- Labels:
-
5.2
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might be caused by traffic following the wrong route.If that is the case, here's an explanation and a fix.
If the VPN is interrupted shortly the FGT will send out the traffic intended for the private LAN on the other side of the VPN to the WAN port, following the default route. Once this session is established it is cached in the routing cache. When the VPN comes up again, there is already a session for this traffic and so packets are sent to Nirvana.
There is a quick fix for this: if you create blackhole routes for all private networks in use (192.168, 10.x.x.x etc.) with high distance values, they will be used instead of the default route if the VPN is down. The difference is that no sessions will be established to blackhole routes, thus no route cache entries. As soon as the VPN comes up again traffic is routed through the tunnel.
To faciliate this, I've written a batch command script which can be loaded onto the FGT. BH routes are not in use normally so this can be done even as a precaution. I don't think the script is FortiOS version dependent - you'll see.
You can download it in this forum post. Scroll down to my post near the end.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
who confirms that this is a VPN IPSec issue? To confirm this try to find out what IKE does meaning the tunnel:
diagnose debug reset
diagnose debug application ike -1
diagnose vpn ike log-filter
diagnose debug enable
NOTE if you have many IPSec on the device you should filter with command below this means with this command you configure a filter which is used within the debug:
# diagnose vpn ike log-filter list vd: any name: any interface: any IPv4 source: any IPv4 dest: any IPv6 source: any IPv6 dest: any source port: any dest port: any autoconf type: any autoconf status: any
# diagnose vpn ike log-filter ? clear Erase the current filter. dst-addr4 IPv4 destination address range to filter by. dst-addr6 IPv6 destination address range to filter by. dst-port Destination port range to filter by. interface Interface that IKE connection is negotiated over. list Display the current filter. name Phase1 name to filter by. negate Negate the specified filter parameter. src-addr4 IPv4 source address range to filter by. src-addr6 IPv6 source address range to filter by. src-port Source port range to filter by. vd Index of virtual domain. -1 matches all.
To clear at the end the filter use "diagnose vpn ike log-filter clear"
Such things can happen for various reason and must be not related to VPN like:
- keylifetime in phase1 not set correctly on both sites which means one site has the view the key is not anymore valid and the other has the view it is valid. At the end the tunnel must be refreshed.
- devices are based on dhcp ISP IP and not fix which means you are working with dyndns which means if the DHCP lease from IPS is renewed there is such a symptome you describe.
Try to eliminate all factors to find out to which technology the issue is related like, RDP server, ISP connection, VPN etc. etc. only if 100% it is confirmed that it is VPN only related it makes sense to investigate.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might be caused by traffic following the wrong route.If that is the case, here's an explanation and a fix.
If the VPN is interrupted shortly the FGT will send out the traffic intended for the private LAN on the other side of the VPN to the WAN port, following the default route. Once this session is established it is cached in the routing cache. When the VPN comes up again, there is already a session for this traffic and so packets are sent to Nirvana.
There is a quick fix for this: if you create blackhole routes for all private networks in use (192.168, 10.x.x.x etc.) with high distance values, they will be used instead of the default route if the VPN is down. The difference is that no sessions will be established to blackhole routes, thus no route cache entries. As soon as the VPN comes up again traffic is routed through the tunnel.
To faciliate this, I've written a batch command script which can be loaded onto the FGT. BH routes are not in use normally so this can be done even as a precaution. I don't think the script is FortiOS version dependent - you'll see.
You can download it in this forum post. Scroll down to my post near the end.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you i will test and reply.
NSE 8
NSE 1 - 7
NSE 8
NSE 1 - 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ede_pfau...I cannot thank you enough.... Our Problem: RDP connections over dialup IPsec tunnels (Forticlient-Fortigate) disconnecting
Your post here and your explanations solved a major problem for our company. Trying to work remotely and to establish a lot of Dialup IPsec VPN connections (Forticlient-Fortigate) we have discovered that each time someone connected or disconnected a VPN dialup tunnel, all the other RDP sessions were disconnected and then reconnected in a few seconds. Enough however to mess up all the screens and windows. Not to mention the annoyance of getting that every minute or so. I would have never guessed that a missing route may be the cause of all this. We suspected the internet connections, the congestions and whatever else we could think of, except routes. IMO that should not have been the default behaviour of Fortigate firewalls and these routes should have been implicit. Many thanks again ! All the best !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Which firmware do you use? (if 5.2.X, try to see if the connectivity issue appear when you apply firewall rules..)
Is the issue appear on all remote site in the same time ? You can try to disable the npu offload for IPSEC (on phase1, set npu_offload disable)
Related Posts
- Remote VPN Issue 119 Views
- Assistance Needed: Routing Issue with FortiGate... 356 Views
- FortiSASE SPA Deployment 114 Views
- Cisco Multicast Ping ICMP reply not... 215 Views
- Trouble Receiving DHCP Packet Over S2S... 280 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.