Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DevinderSharma
New Contributor III

SSL VPN with HA, failover causes VPN to mostly fail on reconnecting [SOLVED]

Hello members,

 

I am using 6.4.5 on an active passive pair of fortigate firewalls. VPN is rock solid when primary is with higher HA device priority. When I force failover to backup, then of course VPN disconnects. When I connect back, I could ping across two or three counts and then pings stop and then after drops, it resumes and then drops and vpn connection itself drops. I login again and similar thing happens, or VPN connection fails right away. I keep trying and after few tries, it works.

 

And this situation never happens when Primary is with higher HA priority.

 

The site to site VPN, all VIPs and regular internet access is not affected. It is just the SSL VPN that cannot reliably connect back on failover.

 

I have tested with two windows 10 laptops. VPN client is latest.

 

Thanks

1 REPLY 1
DevinderSharma
New Contributor III

Okay, I have resolved this issue.

 

The problem was not with Fortigate setup, but I suspected that it has to be with how FGCP clustering protocol shifts around the IPs on the interfaces, and thus resulting mac address association with L2 switch upstream and downstream. We have a redundant Internet service wherein ISP provides two handoffs each from a different ISP router onsite and these two Cisco routers run HSRP (like VRRP) and they require a L2 passthru. So we had a mini switch sitting in between ISP CPE routers and the two firewalls. I bypassed that mini switch with my own redundant setup thru a new 3 port hardware switch inside each Fortigate (deleted port10, 11 and 12 from lan hardware switch and create another hardware switch, added these 3 ports and made sure STP is enabled on these two switches (one in each firewall) and no IP was specified on these switches so that they remain isolated from the network and simply behave as a 3 port hub. I then patched port 12 to 12, port 11 and 11 go to two ISP Cisco routers and port 10 and 10 each go to the respective Fortigate internet port. I then spent ten minutes to test  unplug and plug the patch cables on these 3 switches to simulate all kinds of failures and this time, my VPN issues are fully resolved.

Labels
Top Kudoed Authors