Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

FGT lost some IPSec connection

Over the weekend this occoured: a bunch of tunnel went down and refuse to come back up. I do not see any error in debug log. Just initiating the tunnel and sending dpd requests.

I've cleared all sessions in both directions on both sides for the corresponding remote gw

I flushed and resetted the tunnel and gatewayon both sides 

with no effect. 

All affected IPSec tunnels used to work fine until last weekend.

 

Does anyone have some advice?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

Are you seeing those packets reaching the other end, vice versa? If a bunch of IPSecs suddenly went down, the first thing I would suspect Internet in-between, likely a specific carrier in a specific region.

m0j0
New Contributor III

This may not be related to your issue, but this sort of thing happens to my home Fortigate every now and then.  We have Fortigates spread throughout our offices and never have this issue.  My home unit was an 80C but is now a 60D.  I've upgraded software many times and still have this issue.  Seems to be if I get a glitch in my connection, all my tunnels will drop and not come back again.  I've tried restarting the ipsec process and all sorts of other things but have found the only solution is to reboot the firewall.

 

Here's the thing - the difference with my home unit to our offices is at home I have a VDSL router in bridge mode and I'm doing PPPoE on the Fortigate.  Seems to be an issue with IPSec from a PPPoE interface.  I've looked into this for a while and never found a solution so have just resorted to the reboot whenever needed solution.

sw2090
Honored Contributor

@toshiesumi: I am monitoring all external IPs of all shops. Monitoring will even alert me if there is packet loss. But there is no such event in my monitoring. Also on *both* sides other tunnels on the same internet connection do still work correctly.

 

@ : Bridge mode with pppoe on the FGT is only on one side of the affected tunnels. The other side is mixed. Most don't have bridge mode anymore and are not doing pppoe on the FGT. Some are.

 

Yes I tend to do a reboot of the FGT on this side to see if that helps but will have to this tonight outside shop hours...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors