fortinet/azure-templates

A/A with ELB and ILB VPN Site 2 Site

sanktis opened this issue · 8 comments

Hi I have a A/A Setup
[https://github.com/fortinet/azure-templates/tree/main/FortiGate/Active-Active-ELB-ILB]
We like to Terminate a Site 2 Site Tunnel on the Fortis.
The Tunnel is comming up and the Sessen Sync is enabaled .
But not all sessions are sucessfuly thorught the ELB Forti ILB Server ILB Forti.

I see in the Monitroing that on one Forit only traffic is outgoing to the tunnel but not incomming.

If i disable one of the Fortis or the Internal interface of one of the the VPN is working as expected.

Hi,

Thank you for reaching out. How have you setup your VPN tunnel on the Active/Active cluster? Have you added additional public IPs on the FortiGate port1 interfaces, have you use Inbound NAT rules or something else? These are crucial items to be able to debug your setup.

Regards,

Joeri

gacpac commented

Hi,

I had a ticket for months with fortigate, the github documentation is outdated, please make this setting in azure load balancer for udp 500 and 4500 and let me know if it fixes it. It did it for me, they also recommended set the tunnel to passive-mode me which i didn't have to do

image

image

config vpn ipsec phase1-interface
edit
set passive-mode enable
next
end

https://community.fortinet.com/t5/Customer-Service/Technical-Tip-How-to-make-sure-the-FortiGate-will-act-as-a/ta-p/244166

jvhoof commented

Hi gacpac,

Thank you for reaching out. Which setup are you using? I assume an Active/Passive with ELB and ILB? Indeed for such a setup it is recommended to configure the External Load Balancer with 2 rules for UDP 500 (IKE) and UDP 4500 (NAT-T).

This is documented on the link below and linked in the configuration section of the Active/Passive ELB/ILB page:
https://github.com/40net-cloud/fortinet-azure-solutions/blob/main/FortiGate/Active-Passive-ELB-ILB/doc/config-inbound-connections.md#configuration---ipsec

Additionally, we recently added an FAQ page with additional information:
https://github.com/40net-cloud/fortinet-azure-solutions/blob/main/FortiGate/Documentation/faq-ipsec-connectivity.md

The passive mode helps to make sure the branches are the one's settting up the VPN connection.

Hope this gives you some more insight.

gacpac commented

@jvhoof Look my picture again, your setup is outdated. I spent months with support until they finally figured it out in their lab.

jvhoof commented

Hi @gacpac,

I can see that you have the client persistence changed from 5 tuple to 2 tuple and I would need more information about your setup and what behavior this solved so I can review and update the documentation. This issue was opened for an active/active setup. While the doc we discuss is about an Active/Passive setup.

I can understand that you have spend much time with our support on this and we certainly would like to provide the up to date information. We have many customers that I know of running this setup with the 5 tuple persistence. The best option is to enable the passive mode to make the tunnel is setup from the remote site to the FortiGate cluster in Azure. This is because of the public IP address Azure selects for outbound connection.

It would be great if you can provide me with the ticket number so I can review this. You can connect with me on linkedin (same username) or I can provide you Fortinet email address so I can review your case.

Regards,

Joeri

gacpac commented

For my setup behind the load balancer I'm using the public IP of the load balancer for IPSec connectivity.

Look at ticket number 8304588 for more internal details. If you want to get in a call I also have microsoft azure with ticket open

Hi,

I had a ticket for months with fortigate, the github documentation is outdated, please make this setting in azure load balancer for udp 500 and 4500 and let me know if it fixes it. It did it for me, they also recommended set the tunnel to passive-mode me which i didn't have to do

image

image

config vpn ipsec phase1-interface edit set passive-mode enable next end

https://community.fortinet.com/t5/Customer-Service/Technical-Tip-How-to-make-sure-the-FortiGate-will-act-as-a/ta-p/244166

I have a similar issue, "set passive-mode enable" is not available for my IPsec VPN
Any ideas ?

gacpac commented

Oh BTW the command only needs to be in the azure firewall not the sites. And you should have the command available over cli, maybe open a ticket with Fortinet and let us know. Maybe you have other errors in your setup