I work in Geneva, and we have some issues with the VPN ipsec between fortigates. The VPN is working fine, and some times, they stop working eventhough they are still up. We found that this happens a lot with swisscom lines.
The VPN is up, the route are ok, but nothing goes through the VPN. No traffic arrives at destination. We reboot the ISP router and it work again, or we shut the VPN and turn it back on (by changing the remote ip on the ipsec, and putting back the good one) and then it work again.
Are you aware of this kind of problem ? Does it come from the ISP ? Is there anyway to avoid that ?
Are the key lifetimes the same on phase 1 and all phase 2 definitions? Had similar behaviour loads of times where difference in key lifetime meant the tunnel would establish but wouldn’t stay up as the key exchange started getting skewed over time.
What version of FortiOS are you using on each side?
Is it site-to-site or “hub&Spoke”?
What ISP are you using (is it Swisscom and if so, what product)?
Have you checked if the patckets leave the source fortigate in direction of provider router?
Edit:
Sorry, you mentioned swisscom lines - so I guess you are using swisscom as ISP. However, is it Enterprise Connect or is it IP-Plus? Or is it some other product of theirs? My experience is that Enterprise Connect can be somewhat tricky (especially with gre tunnels), but we have about 100 locations with it and it usually is working. The issues at the moment is with the enterprise connect swisscom backbone (which we all can’t do much about)
I’ve experienced this behavior on an ISPEC VPN on FortiGates, and as a workaround we scheduled a nightly ike reset which does cause the VPN function to resume.
There was a route overlap at fault and over time the asymmetric routing seems to overwhelm the VPN and it remains up while not passing traffic. Essentially.
Fixing the underlying routing issue doesn’t seem like an option with our current leadership so the workaround is the fix for now.
Do you have a blackhole route for short outages?
Without it, the Fortigate will route to the gateway of last resort when the vpn goes down and keep sessions there after the vpn comes back up.
Restarting the ipsec tunnel or rebooting the Fortigate fixes this until the next outage.
Permanently fix it by verifying there is a blackhole route for the ipsec remote subnets.
You need to capture traffic on the two Fortigate units when the problem appears I think and you will better understand what is going on. It will be encrypted but at least you will be able to understand whether it exiting and entering the firewalls or is it dropped in the ISP for some reason.
To me this sounds like a packet loss. Whatever is exiting the source firewall should enter the destination firewall and vice versa. You can place filters to count packets on both firewalls in both directions. If you do not have a monitoring portal you can contact your ISP to check for BW utilization and packet loss during the time of your issue. You can spot check a few ESP packets in Wireshark to see if a random packet is@ exiting the source fw and entering the destination fw by the sequence number which is unique.