traffic stopped into ipsec vpn tunnel during failover

Question

traffic stopped into ipsec vpn tunnel during failover

ahmedali3030 opened this issue 2 years ago · 3 comments

During testing the failover ha between 2x FortiGate and shutdown the active FG , we found the IPsec vpn tunnel for the secondary is up but no traffic, we must establish the IPsec tunnel manually to traffic work again

For the time being we still facing an issue in the network landing zone as when we try to takeover to the secondary FortiGate the traffic is not routed automatically and we have to restart the tunnel manually.

Accordingly, we are going to investigate the FortiGate as well as the external load balancer configurations to be able to detect the root cause of the issue.

Please keep us updated if you have any news regarding the above mentioned issue, Thanks.

Answer 1 · 2022-12-27T16:14:38.000Z

Hi,

Thank you for opening an issue here. What you are reporting would be better solved via our support (https://support.fortinet.com). There could be multiple issues on both the load balancer and they FortiGate.

Have you configured the Load Balancing rule with Floating IP disabled? Maybe you can configure the FortiGate cluster in Azure as being the passive side in the tunnel.

Regards,

Joeri

Answer 2 · 2022-12-27T17:12:29.000Z

1-Have you configured the Load Balancing rule with Floating IP disabled?
I will check Floating IP status but what rule you need to check on external LB / External LB

2-Maybe you can configure the FortiGate cluster in Azure as being the passive side in the tunnel.
answer a)- can you clear what is configuration for cluster that is not found for active-passive ELB-ILB template , may be found for active-active ELB-ILB ! si it mandatory to configure the cluster for the FortiGate cluster in Azure ?!
answer b) why after configuring 2X FG probe-response for 4x NIC , it is not show for HA port and Mgmt port
set http-probe-value OK
set mode http-probe
end

Answer 3 · 2022-12-28T11:10:25.000Z

For the IPSEC configuration I would like to refer you to the following link. This will give you the IPSEC load balancing rules needed for your setup:
https://github.com/40net-cloud/fortinet-azure-solutions/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#configuration---ipsec

Probe-response:
To allow the "probe reponse", it needs to be allowed as a service on each interface. The global configuration 'config system probe-response', you mentioned only enables the service. As we have an internal and external load balancer that are only used on port1 (external) and port2 (internal) we only allow "probe response" on these interfaces.

I hope this clears up your questions.

Joeri