I have a FortiGate 60E that I successfully used to create a VPN to an Azure virtual network (see here). It had the 6.0.4 firmware.
Recently, I updated the Fortigate firmware to 6.2.0 and the VPN came up correctly, but after a few days, it started to not route anything. The VPN was still up on both sides, but I couldn't see anything. Rebooting the Fortigate had no effect.
So I deleted all the VPN objects on Azure and recreated everything from scratch. It worked again... for a while.
So I decided to downgrade the Fortigate to 6.0.5 (released a few days ago), without changing anything in Azure. It worked again... for around 15 hours. And now it's down.
I will try downgrading again to 6.0.4, but I am starting to think that may not be it. When I redid everything in Azure, it came back up. The second time I did nothing in Azure, and it came back up. So I am starting to think that it's something on the Fortigate side that brings up the VPN but then messes up.
On another, older Fortigate I have the exact same setup (but firmware 5.6.8), and it has been working flawlessly for weeks.
-- EDIT --
On further inspection, I looked at the logs and found a Dead Peer Detection error:
The tunnel_stats events before that show sent and received bytes (bidirectional), but all tunnel_stats events after the dpd_failure only show sent bytes, but received bytes are always zero.
-- END EDIT --
-- EDIT 2 --
Last night I downgraded to 6.0.4 and the VPN did not come back up.
I had a deeper look at the logs and found that same DPD error every day at exactly the same time, just after 11 am. It just happened that yesterday's DPD error closed the tunnel for good.
-- END EDIT 2 --
Any ideas are welcome!
No comments:
Post a Comment