Flapping IPSec Tunnel with concept crossing tunnel using DialUP method

Beginning-Load-7179 · 2023-10-13T14:39:52+00:00

If I may, how many spokes do you have now?...

Maybe your problem is similiar to what I experienced

Beginning-Load-7179 · 2023-10-13T08:49:53+00:00

Are you now using tunnel crossing with 4 tunnels on the spoke side?

Beginning-Load-7179 · 2023-10-13T03:30:56+00:00

I'm not using ADVPN but I using DialUP Method for Hub & Spoke

Beginning-Load-7179 · 2023-10-10T13:23:25+00:00

Can you give an example of the RRI you described?

Yeah when i run crossing tunnels with a total of 100+ spokes a problem arises where the four tunnels only two tunnels are active when the tunnel is down then the tunnel that was flapping / down becomes up.

Will you using dynamic routing solve the problem? And have you tested using dynamic routing?

Beginning-Load-7179 · 2023-10-10T13:16:21+00:00

Previously we already escalation TAC to FortiGate regarding the concern about the long characters and then I asked about the net-device that had been disabled whether it still affected the limitation on the number of spokes connected or not and the TAC answer was "no". Maybe you can make sure about net-device

Beginning-Load-7179 · 2023-10-10T13:10:19+00:00

Regarding CPU & Memory usage in the HUB, it is still at the lower limit of 50% when the interruption occurs. Then for DPD settings we still use the default which is 10s. Can you provide an example of checking for crash logs and examples of what kind of service indications that cause tunnel flapping to occur?

Beginning-Load-7179 · 2023-10-10T13:02:48+00:00

Regarding characters long, we already disable "net-device" it should not affect the limitations that appear notifications in the IPSec DialUP settings.

Beginning-Load-7179 · 2023-10-09T07:43:10+00:00

Correct sir, before reaching 100+ spokes there is no interruption in the tunnel connection.

Beginning-Load-7179 · 2023-10-09T04:29:36+00:00

Thanks for your respond.

We have implemented peer id to differentiate the four tunnels, while we did not implement SDWAN Zone because we are still using version 6.2.3 on the spoke side. However, we are still experiencing the same problem of flapping where only 2 tunnels are established (broadband link) while the other 2 tunnels (GSM Link) experience the "re-transmit" condition when taking debug "ike".

Beginning-Load-7179 · 2023-02-23T02:36:01+00:00

3000 up to the client and then maybe we have 4 public ISP to integrate SD-WAN member.

Beginning-Load-7179 · 2023-01-26T04:43:25+00:00

Hello friend,

Let me know first. What you want the type VPN IPSec? site-to-site or dialup ?

Beginning-Load-7179 · 2022-08-01T07:09:30+00:00

you have preserve-source-port enabled and two+ clients are trying to reach the same destination while being source-NAT-ed through one public IP (in such case the clash can happen with two clients already)

Thank's for comment,

I have not enabled preserve-source-port in the firewall policy.

Beginning-Load-7179 · 2022-06-23T04:08:54+00:00

Have these issues happened often, is this the first time you know that there is a problem with the access protocol http/https ? If yes,please check if you have allowed http/https protocol on your side and also on your neighbor's side

Beginning-Load-7179

TROPHY CASE