I wanted to inform you that I have set up a new primary tunnel with one of our clients. However, we are experiencing an issue with the stability of their VPN, which is hosted on the Alibaba Cloud platform. The tunnel goes down every 5 minutes, even though our dashboard and IPsec monitor show that the tunnel is still up (we have also confirmed this with Fortinet TAC and captured the logs it never goes down). On the Alibaba side, they see that the tunnel is stuck at phase 1, and I have to manually restart it then the primary tunnel comes up with them. For now I disabled it assuming it’s ip issue or something.
I have also tried creating a secondary tunnel using different IP from our aide and their secondary ip address, but the problem persists. The logs show that phase 1 is deleted every 5 minutes, and then it renegotiates and comes back up. Right now only secondary tunnel is up but, it’s having issues, frequent disconnection.
Could you please help me identify the cause of this issue? Our system is running on version 7.4.0, and we have another client whose tunnel is working fine without any problems.
B. You have the buggiest and most insecure version of the v7.4 branch. At least bring it up to v7.4.3
C. Do they have keep-alives configured on their side? It would seem to me that the issue is on their end. Is the secondary tunnel you setup with them using the same infrastructure on your side (even if a different IP), or totally different infrastructure. If it’s different, then it is on them. What are their key lifetime values set to?
Upgrade to at least 7.4.3 (or downgrade to 7.2.7) before doing anything. I see very little point in troubleshooting a buggy release when you have better options.
There is a known issue with IPSec tunnels dropping in 7.4.2 and 7.4.3. I don’t know if it exists in 7.4.0 (issue does not exist in 7.4.1).
I would recommend going to 7.2.7 for the moment unless there is specific functionality you need from 7.4.x. (in my case there IS specific functionality that I need, and am still waiting until they fix the IPSec tunnel bug in 7.4.x).
In regards to the bug part, they work in mysterious ways. If everything looks to be correctly configured i wouldnt bother troubleshooting anymore before i’ve upgraded to 7.4.3 or preferably downgraded to 7.2.7. Worst case scenario, you can test it and if it doesnt solve the issue you can restore your 7.4.0 config.
Im assuming if the version had a bug, then it should have the bug for other tunnels too. Correct me if I’m wrong.
That’s not a good assumption. The specifics of the bug might not be manifest with every tunnel. There may be something specific about that infrastructure you’re trying to connect with that triggers it.
Putting the secondary tunnel on the same infrastructure as the one with the problem won’t prove much of anything. You need to isolate the test tunnel from the primary one – different infrastructure with different ISP would be best, so you can legitimately and definitively rule out more things at one time.
It might be useful to see a sanitized version of the appropriate parts of your config.
But first, you really need to update your firmware in some direction, as u/RedditSold0ut suggested.