[AusNOG] Fortigate IPSec VPN Issue PPPoE/VDSL2

Jason Leschnik jason at leschnik.me
Sun Jul 9 11:29:56 EST 2017


Hi all,

Currently we have 2 x Fortigate 80D's at two different sites. Having
the issue that the IPSec VPN is dropping and never coming back up
after around 1-3 days. The site that is dropping is using a ZTE
(swapped with a Broadcomm NF4V) VDSL2 modem.

The issue is that after around 20 or so hours the VPN will all of a
sudden will begin failing to establish the phase 1 of the tunnel and
it will be stuck on that for around 10 hours or until the device is
rebooted.

I'm still not convinced it's an issue Fortigate itself as I can drive
down the Phase 1 and Phase 2 timeouts until they are practically as
low as I can get them (Phase 1 – 240 seconds, Phase 2 – 120) and they
will over and over negotiate without issue.

Currently the issue is being resolved somewhat hamfistedly by
rebooting the units as every attempt to restart the tunnel through the
CLI fails.

If anyone has seen this issue before please reply or contact me
offlist. I'm not sure if this is appropriate for Ausnog, if it's not
please administer the lashings.

Regards,
Jason.


More information about the AusNOG mailing list