Hi everyone, does anyone know a method to automatically disable and re-enable a VPN tunnel when a ping is lost? My VPN tunnel sometimes loses its connection when the remote site experiences high latency. Even though the VPN tunnel appears to be connected, I need to manually disable and re-enable it to restore the connection
We had a similar issue with one of our IPSec tunnels, the logs would report phase 2 goes down.
So we created an automation stitch (located under Security Fabric). It works well enough that users don’t notice the tunnel has any issues
Trigger: IPsec connection status changed
Action: Custom CLI Script: diag vpn ike gateway flush name [vpn name]
more info on automations: Creating automation stitches | FortiGate / FortiOS 7.2.9 | Fortinet Document Library
more info on the CLI script action: CLI script action | FortiGate / FortiOS 7.2.9 | Fortinet Document Library
Create a blackhole Route to Remote Network wird higher cost. Ist will disable the Tunnel And Renew it
We started seeing this issue on 7.2.7. Oddly it only affected E series platforms.
You need to make sure both sides have DPD configured and matching. Additionally you should configure black hole routing so if the VPN goes down traffic doesn’t get sent out a different path and create sessions otherwise you could possibly require clearing sessions
ohhh let me read look like im not the only one with this issue.
Can you share the whole script and setup
Sorry, there isn’t an actual script. in the GUI, go to Security Fabric > Automations. Create new Automation. Name the automation. Add trigger and action.
In our case:
We created a new trigger under FortiOS Event Log with the event to monitor as “Progress IPsec phase 2” and “IPsec phase 2 error.”
Created a new action under CLI Script with the script “diag vpn ike gateway flush name NameOfVPN”
You can get a list of all your VPNs with their names by running “diag vpn ike gateway” in the console.
the command gateway flush is going to disable and re-nable the VPN tunnel?
No, but I don’t know the command for that off the top of my head. I’m sure you can find it online though! The automation is what you need, the specific command will depend on the issue you are seeing. You can try the command and see if it works for ya!
Here is some info on what our command does: Technical Tip: How to flush a VPN tunnel - Fortinet Community