Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

[IPSec VPN] very strange behaviour

Hiho,

 

I just got this strange issue here:

 

two FGT 100E with 6.0.8 running. Between both is an ipsec tunnel.

Side A says (in IPSec Monitorr) the tunnel is up

Side B say (-"-) the tunnel is down

Side B still gets new SA Requests for that tunnel from Side A

 

In Debug Log on Side A you see that Side A is doing the complete handshale and even sends the tunnel up snmp trap to side B.

On Side B you only see new SA Requests from Side A and then negtiation timeouts.

 

P1 auto negotiation is disabled on Side B but enabled on Side A

 

I have no clue why this happens...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1 Solution
localhost

You have two Fortigates running same hardware and same software release.

I guess you compared the IPSEC tunnel settings in the CLI on the Fortigates, and verified the Tunnel settings are the same on both sides?

Firewalls Policies are also correct, otherwise the tunnel would not initiate at all.

 

So what else could be the reason it doesn't work?

Either some network device is dropping packets in your network path. Be it the ISP or some other device.

Or you are running into a software bug on the Fortigate.

 

That's why I suggested setting NAT-T to forced (not just enabled) and disabling np-offload on the phase1.

View solution in original post

9 REPLIES 9
localhost
Contributor III

Hey

 

I've seen a lot of ISP's doing very weird stuff to IPSEC tunnels.

 

So in this case I would try to:

- enable force NAT Traversal (UDP 4500 instead of ESP)

 

Also I ran in multiple NP offload bugs on various FortiOS releases:

- to fix: set np-offload disable on the phase1 tunnel

emnoc
Esteemed Contributor III

Did you run any diag commands?

 

    diag vpn ike gateway

    diag vpn tunnel list

 

And lastly if DPD is not being used, enable it in your phase1-interface config thru the cli. I highly doubt the ISP is culprit here.

 

Ken felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

NAT-T and DPD are already enabled. 

I even see Side A sending NAT keepalives to side B and also DPD Packets but on those I see no response from Side B.

 

I did diag vpn ike gateway clear name <tunnel> on the tunnel and

didag von ike restart 

both on both sides with no change.

 

As I said there is various other IPsecs to other sides that use tha same wan on SIDA as well as there is on Side B and those all work fine. So I wouldn't blame the ISP.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
localhost

You have two Fortigates running same hardware and same software release.

I guess you compared the IPSEC tunnel settings in the CLI on the Fortigates, and verified the Tunnel settings are the same on both sides?

Firewalls Policies are also correct, otherwise the tunnel would not initiate at all.

 

So what else could be the reason it doesn't work?

Either some network device is dropping packets in your network path. Be it the ISP or some other device.

Or you are running into a software bug on the Fortigate.

 

That's why I suggested setting NAT-T to forced (not just enabled) and disabling np-offload on the phase1.

sw2090
Honored Contributor

As I said I don't think it is the isp since there are other tunnels on that same isp on both sides and those work. If the ISP would drop packets that would affect all tunnels on that wan.

 

I will have a look at the other options you mentioned.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

ok I set nat-t for force and npf-overload to disable on both sides.

Result is still the same.

I btw also opened a Ticket with TAC.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

TAC ticket has escalated one up ;)

We'll see...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
localhost

sw2090 wrote:

TAC ticket has escalated one up ;)

We'll see...

Were you able to fix the issue?

Doan_An_Phuong

His case, has applied, and has worked smoothly

My Blog Workhard https://www.andon.vn

My Blog Workhard https://www.andon.vn
Labels
Top Kudoed Authors