- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Redundant VPN config help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Redundant VPN config help
Hello all, have a VPN project and having a problem. Almost got it though...
I have a 200E and a test 60E at a remote site I want to set up a VPN between the 2 sites, but have redundancy for the 200E if an ISP goes down at the 200E location. 200E config: WAN1 - ISP1WAN2 - ISP2 Primary VPN on WAN1 - working 10/0Backup VPN on WAN2 - not working on failover 20/0 link-monitor configured on both WAN1 and WAN2 60E config: WAN1 - ISP1 (only 1 ISP here) Primary VPN on WAN1 - Connects fine to primary on 200E to WAN1 10/0Backup VPN on WAN1 - Would connect to the WAN2 IP of the 200E 20/0 link-monitor running on WAN1 (only to match configs of FGs) If I software disable WAN1 or pull the Eth out of WAN1 -- Internet switches over to WAN2, no downtime. 200E primary VPN was working perfectly. After WAN1 goes offline, drop in vpn traffic seen but Backup VPN does not come online. I can see phase 1 success messages for backup VPN, but no traffic passes or tunnel showing online. What am I missing?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
please share the below command output
diag vpn ike log filter name <phase1-name> diag debug app ike -1 diag debug enable
Regards
Mahesh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh p mohan wrote:Hi
please share the below command output
diag vpn ike log filter name <phase1-name> diag debug app ike -1 diag debug enable
Regards
Mahesh
Here was the output:
Connected FG200 # diag vpn ike log filter name H
FG200 # diag debug app ike -1Debug messages will be on for 20 minutes.
FG200 # diag debug enable
FG200 # ike 0: cache rebuild doneike 0: cache rebuild done
ike 0:H_Backup: auto-negotiate connectionike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.
ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connectionike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.
ike 0: cache rebuild doneike 0: cache rebuild done
ike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike change cfg 1 interface 0 router 0 certs 0 <Manual disable of WAN1 here>ike 0: cache rebuild done
ike 0: HA syncing disabled
ike 0:H: local-addr 173.xx.xx.xxike 0:H: oif 17ike 0:H_Backup: local-addr 67.xx.xx.xxike 0:H_Backup: oif 18
ike 0:RemoteMacOS: local-addr 173.xx.xx.xx
ike 0:RemoteMacOS: oif 17ike 0: policy 2 disabled, ignoring
ike 0: policy 11 disabled, ignoringike 0:internal: add addr 10.xx.xx.0-10.xx.xx.255ike 0: policy 13 disabled, ignoring
ike 0:H: schedule auto-negotiateike 0:H_Backup: schedule auto-negotiate
ike config update doneike 0: cache rebuild done <ALL VPN DOWN AT THIS POINT, Backup not connecting>
ike 0: cache rebuild doneike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0: cache rebuild done
ike 0: cache rebuild doneike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.ike 0:H: carrier downike 0: cache rebuild doneike 0: cache rebuild doneike 0:H: auto-negotiate connection
ike 0:H: created connection: 0x1429dbf0 17 173.xx.xx.145->73.xx.xx.xx :500.
ike 0: cache rebuild doneike 0: cache rebuild done
ike 0:H_Backup: auto-negotiate connection
ike 0:H_Backup: created connection: 0x1409e5e0 18 67.xx.xx.xx->73.xx.xx.xx :500.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Did you reproduce the issue when taken the log ?
policy 2 ,11 and 13 related to vpn ?
share the below log
config firewall policy
edit 2
show
next
edit 11
show
next
edit 13
show
end
Regards
Mahesh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hm I do it this way here:
WANs are on WLLB/SDWAN with connectivity checks
There is two tunnels which are always up (execpt if one ISP fails of course).
I have static routes for the subnets I want to reach ovr the vpn (and vice versa if needed).
These routes are redundant - there is one for each vpn. They have the same distance but different priorities.
Then there is policies for the subnets I need to reach or need to reach me. These have to be redundant too. One or each vpn.
This leads to this:
the tunnel that has the lowest routing prio will be used primary. If that goes down the route with the next higher prio will be used to route the traffic.
This works fine here in 20 locations and 1 central :)
hth
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Automatically Ban Malicious Inbound IPs using... 46 Views
- Adding HA Cluster of two 60F... 81 Views
- Hub-Spoke With Redundant Tunnels 66 Views
- Routing Issue on FortiGate 7.2.8 172 Views
- Public Key login not working on... 88 Views
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.