[AusNOG] Fortigate IPSec VPN Issue PPPoE/VDSL2

[Jason Leschnik]

Thanks to all of those who contacted me off list with suggestions and interest.

Our device in Sydney ended up kicking the bucket very hard during the
troubleshooting and has been replaced under warranty. The device began
to sporadically drop/block traffic for connected clients while
allowing others and all kinds of strange behavior.

It's been a very strange issue to troubleshoot but hopefully that will
be the last of it.

Regards,
Jason.



On 9 July 2017 at 11:29, Jason Leschnik <jason at leschnik.me> wrote:
> Hi all,
>
> Currently we have 2 x Fortigate 80D's at two different sites. Having
> the issue that the IPSec VPN is dropping and never coming back up
> after around 1-3 days. The site that is dropping is using a ZTE
> (swapped with a Broadcomm NF4V) VDSL2 modem.
>
> The issue is that after around 20 or so hours the VPN will all of a
> sudden will begin failing to establish the phase 1 of the tunnel and
> it will be stuck on that for around 10 hours or until the device is
> rebooted.
>
> I'm still not convinced it's an issue Fortigate itself as I can drive
> down the Phase 1 and Phase 2 timeouts until they are practically as
> low as I can get them (Phase 1 – 240 seconds, Phase 2 – 120) and they
> will over and over negotiate without issue.
>
> Currently the issue is being resolved somewhat hamfistedly by
> rebooting the units as every attempt to restart the tunnel through the
> CLI fails.
>
> If anyone has seen this issue before please reply or contact me
> offlist. I'm not sure if this is appropriate for Ausnog, if it's not
> please administer the lashings.
>
> Regards,
> Jason.