Discussion:
[AusNOG] Fortigate IPSec VPN Issue PPPoE/VDSL2
Jason Leschnik
2017-07-09 01:29:56 UTC
Permalink
Hi all,

Currently we have 2 x Fortigate 80D's at two different sites. Having
the issue that the IPSec VPN is dropping and never coming back up
after around 1-3 days. The site that is dropping is using a ZTE
(swapped with a Broadcomm NF4V) VDSL2 modem.

The issue is that after around 20 or so hours the VPN will all of a
sudden will begin failing to establish the phase 1 of the tunnel and
it will be stuck on that for around 10 hours or until the device is
rebooted.

I'm still not convinced it's an issue Fortigate itself as I can drive
down the Phase 1 and Phase 2 timeouts until they are practically as
low as I can get them (Phase 1 – 240 seconds, Phase 2 – 120) and they
will over and over negotiate without issue.

Currently the issue is being resolved somewhat hamfistedly by
rebooting the units as every attempt to restart the tunnel through the
CLI fails.

If anyone has seen this issue before please reply or contact me
offlist. I'm not sure if this is appropriate for Ausnog, if it's not
please administer the lashings.

Regards,
Jason.
Jason Leschnik
2017-07-16 09:04:32 UTC
Permalink
Thanks to all of those who contacted me off list with suggestions and interest.

Our device in Sydney ended up kicking the bucket very hard during the
troubleshooting and has been replaced under warranty. The device began
to sporadically drop/block traffic for connected clients while
allowing others and all kinds of strange behavior.

It's been a very strange issue to troubleshoot but hopefully that will
be the last of it.

Regards,
Jason.
Post by Jason Leschnik
Hi all,
Currently we have 2 x Fortigate 80D's at two different sites. Having
the issue that the IPSec VPN is dropping and never coming back up
after around 1-3 days. The site that is dropping is using a ZTE
(swapped with a Broadcomm NF4V) VDSL2 modem.
The issue is that after around 20 or so hours the VPN will all of a
sudden will begin failing to establish the phase 1 of the tunnel and
it will be stuck on that for around 10 hours or until the device is
rebooted.
I'm still not convinced it's an issue Fortigate itself as I can drive
down the Phase 1 and Phase 2 timeouts until they are practically as
low as I can get them (Phase 1 – 240 seconds, Phase 2 – 120) and they
will over and over negotiate without issue.
Currently the issue is being resolved somewhat hamfistedly by
rebooting the units as every attempt to restart the tunnel through the
CLI fails.
If anyone has seen this issue before please reply or contact me
offlist. I'm not sure if this is appropriate for Ausnog, if it's not
please administer the lashings.
Regards,
Jason.
Loading...