Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NickBurns
New Contributor

S2S VPN Tunnel drops every 24 hours

I have a main "hub" FortiGate that has more than a dozen other "branch" FortiGates connected to it over individual S2S VPN connections.  All of these VPN tunnels are very stable and barely ever drop (and when they do, it is due to the ISP).

 

I recently added yet another branch FortiGate and nailed up a new S2S VPN for it back to the hub FortiGate.  I had no issues establishing the tunnel and traffic passes fine in both directions.  The tunnel's Phase1 and Phase2 settings on both ends are identical to the previous tunnels (except of course for the IPs) as well as static routes and IPv4 Policies - all very simple.

 

The problem we are facing is that just about every 24 hours, the tunnel to the new FortiGate drops and all connectivity between the 2 devices is down for 5 to 10 minutes until a new tunnel is established.  We do not have downtime with any other tunnel.  The 24-hour timeframe would match our key lifetime setting, but I need help figuring out why this tunnel can't re-negotiate without issue.

 

Is anyone else having similar issues?

5 REPLIES 5
smari
New Contributor

Do you have any tunnel logs during the tunnel down period ?

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

 

NSE7, FMG, FAC, FAZ . 1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
NickBurns

I'm relatively new to FortiGates...are you talking Log & Report -> Events -> VPN Events, or is there a deeper level of logging somewhere I should be looking at?

ede_pfau
Esteemed Contributor III

hi,

 

it might just be that your remote ISP forces an interruption, as to prevent running a server on that line. For this, the public IP would be dynamic and shuffled anew each night. German Telekom used to do this for years.

 

If that is the case here, chances are that tunnel traffic leaks to WAN when the VPN is interrupted. If this created a new session, a tunnel-up will not occur instantenuously. You prevent data leakage and provide for the fastest reconnection of IPsec tunnel by installing blackhole routes for your/for all private network ranges.

Have a look, for instance, at this post: https://forum.fortinet.com/tm.aspx?m=120834 for details, and a script file which will install all bh routes for you.

 

And yes, a tunnel down is an event so the VPN event log should show something.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
NickBurns

Hi Ede,

That shouldn't be the case - we have a static IP from our ISP on both ends of the tunnel.  I will double-check to be sure that nothing is happening on their end, but I doubt that it is.  If I manually rebuild the tunnel (which I've tried), the next tunnel drop moves to just under 24 hours after the time that I re-establish the tunnel (instead of the previous recurring time.

 

Nick

smari

Yes , during the tunnel down period do this in the cli and post the outpout :

 

diagnose debug enable

diagnose debug  application ike -1

 

If you have multiple tunnels you could put in a filter on the debug output using :

 

diagnose vpn ike log-filter <some filter> .

 

When I am facing these kind of problems I usually change my design to using dialup tunnels setup, but thats a personal preference.

NSE7, FMG, FAC, FAZ .

1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.

 

NSE7, FMG, FAC, FAZ . 1500D's, 1200D's, 900D's, 300D's, 200D's, 100D's and bunch of small stuff.
Labels
Top Kudoed Authors