![]() ![]() Lifetime/rekey: 28800/27777 <-HERE the value for the lifetime IPsec SA: created 1/5 established 1/5 time 10/44/60 ms IKE SA: created 1/1 established 1/1 time 20/20/20 ms Now for the IKE phase1 the lifetime is the industry std 28800Į.g for determining that value for the FGT-FAZ ipsec tunnel at phase1įG3K2C3Z13800237 (root) $ diag vpn ike gateway list name FGh_FtiLog1 | grep time You will see the SA lifetime is counting down at 1800sec which matches the FAZ diag debug app ipsec output. That's why it's not listening after the reboot of the applianceġ: execute the above command and immediately execute diag vpn tunnel list name I don't think the issue in general is with DHCP too, but it's just the problem that the service is not correctly binding the address to the port if DHCP is set. You could set a static reservation for the FAZ if your concern on address lease/renewals I don't believe the DHCP is the issue btw. My apices tunnels which are direct with no nat works fine. ![]() Yes like the one I posted above, I only see the packets from the FGT, there are no packets in the other direction. When the ipse-tunnel drop, did you run any dig sniffer packet "port 500 or 4500" and see if anything is being sent between FGTFAZ? I can't find anything regarding a life time for the IPsec tunnel, neither in the FAZ CLI reference nor in the FGT CLI reference. I'm not sure about the topology, the FGT is directly connected to the internet - the FAZ only has a private IP and is NATed to a public IP via Azure settings, but it's a 1:1 NAT.ĭoes the firewall that send packets to the FAZ, does it have a up lifetime setting that you can modify? if yes, can you set the session lifetime to a extreme lifetime You are right about that, when the tunnel worked for a short period of time, the first packets were done via port 500, and then it switched to port 4500, like it should, because NAT is detected. ![]() Do you have a topology map of ALL of the devices in the path from FGT -> FAZ AWS I do't recall any means for enabling a NAT-T keep alive function on the FAZ directly. I believe if your coming thru a NAT device at the FAZ end and ike NAT-T is required due to this nat, you nat-t device might be a cause. So as you can see, no private IP (it's just a snippet but usually the local ip socket should be right under or above the loopack socket) Qs: What method are you using determine IPSEC is not working on the fortianalzyer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |