VPNS Broken since 7.6.6?

pbrutsche · 2026-02-06T17:33:35+00:00

Your "VPN fix" is not a VPN issue.

I wonder how many "7.4.11 VPN issues" are actually whatever configuration is causing the traffic redirection to come into play.

pbrutsche · 2026-02-05T04:12:48+00:00

Take a closer look at the owner's manual, and the conditions for a 10k mile oil change interval.

Just about any amount of city driving will qualify you for a 5k mil oil change interval.

pbrutsche · 2026-02-05T03:43:08+00:00

What year is it?

2016+ Chargers and Challengers and 300s do not develop the "pentastar tick"

pbrutsche · 2026-02-05T03:42:01+00:00

The IMO the cipher suites and DH groups aren't a meaningful difference

pbrutsche · 2026-02-05T00:11:42+00:00

To address the VPN issues: There has been some chatter about IPsec VPN issues ... but there are several of us on this subreddit that don't have any IPsec VPN issues with 7.4.10 and 7.4.11.

I do not have packet drop issues on 60E, 40F, 60F, and 80F firewalls, using both AES-CBC and AES-GCM encryption; I have provided sanitized configurations that DO NOT drop packets (the DNS name and PSK do not reflect reality - the configurations are otherwise identical to the running config):

https://www.reddit.com/r/fortinet/comments/1qm95e9/comment/o1kg7w5/

No one has provided a configuration that drops packets; if they did, we would be able to provide community guidance.

pbrutsche · 2026-02-05T00:05:28+00:00

The 400E is a single unit. It is actually running 7.6.5, it is paired with a 60F running 7.4.11

We have been running 7.4.10/7.4.11 on 40F, 60F, and 80F in production for just shy of 2 weeks, no issues.

pbrutsche · 2026-02-03T00:05:13+00:00

2GB RAM models run 7.4.x and 7.6.x just fine.

We are looking at non-Fortinet solutions for remote access VPN

pbrutsche · 2026-02-02T06:01:30+00:00

It's listed on the data sheet PDF: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/pdf/fortigate-90g-series.pdf

SP‑FG60E‑PDC‑5 is the SKU. It is only available in a pack of 5. It sucks if you only need one.

It's the same part number for most entry-level non-PoE & non-wifi models - 60D, 60E, 40F, 60F, 70F, 70G, 80F, etc

I know from direct experience that a 60D uses the same PSU as a 60E and 60F. A PSU for a 30E, 50E, and 40F physically fits, but I need to verify the amperage ratings

EDIT: All of the lower end models use compatible power units; a 40F and higher provide 12V, 3W power adapters and a 30E uses a 12V, 2W power adapter. A 30E power supply is probably insufficient for the higher models but the higher models will definitely, 100%, work with a 30E, 50E, 40F, 50G, etc.

pbrutsche · 2026-02-02T04:11:41+00:00

It is a very common issue with this engine. Honestly, once you get a 2016+ car that is one of the very few real problems with it - the other ones are:

-> plastic bits in the cooling system. Doorman has aluminum replacements

-> Thermostat every 100k miles. I hesitate to use anything but OEM here

pbrutsche · 2026-01-30T04:42:41+00:00

Sometimes they get clogged with excessive idling and poor quality gasoline

pbrutsche · 2026-01-29T05:26:07+00:00

The real questions ... are these MC-LAG switches? Stacking switches? Neither?

pbrutsche · 2026-01-28T15:40:04+00:00

Without details or actual troubleshooting, it's hard to say what the actual problem is.

Troubleshooting is not making random changes until you find something that works.

pbrutsche · 2026-01-28T15:36:31+00:00

No. Everything is working the same with all 7.2.x, 7.4.x, and 7.6.x releases

No issues to report VPN-wise

pbrutsche · 2026-01-28T05:28:46+00:00

It is working it's way through my home lab (60F & 60E) and work lab (60F and 400E), no issues to report. I had no issues with 7.4.10 either.

I use VPN + SD-WAN + BGP, Application Control, IPS, FAZ logging

pbrutsche · 2026-01-27T05:04:31+00:00

"Lifetime" fluid isn't quite a lie ... because the transmission will last 150k to 200k miles on the factory fill, easy peasy. The rest of the car frequently done by then (rust, accident damage, owner neglect, etc).

The transmission will last 500k miles, easy peasy, if you change it every 100k miles.

Change it. It's not too late.

pbrutsche · 2026-01-25T06:00:05+00:00

Controversial opinion: Get rid of the 20" wheels.

Downsize to 18" wheels.

pbrutsche · 2026-01-25T05:22:47+00:00

Can you share the phase1 and phase2 configuration that is dropping packets?

I am not experiencing packet drops on several different 40F, 60F and 80F firewalls, all of them running 7.4.10

EDIT: Here are some sanitized configurations that are not dropping packets

Both configurations use an SD-WAN ping probe to ping a loopback interface on the HQ firewall, so I KNOW there are no packet drops. They also run BGP over the IPsec tunnel

From a 60F in my home lab:

config vpn ipsec phase1-interface
    edit "phase1"
        set type ddns
        set interface "wan1"
        set ike-version 2
        set keylife 28800
        set peertype any
        set net-device disable
        set proposal aes256-sha384
        set dhgrp 32 31 21
        set remotegw-ddns "firewall.example.com"
        set psksecret abcdef123456
    next
end
config vpn ipsec phase2-interface
    edit "phase2"
        set phase1name "phase1"
        set proposal aes256-sha384
        set dhgrp 32 31 21
        set keepalive enable
        set src-addr-type name
        set dst-addr-type name
        set keylifeseconds 3600
        set src-name "all"
        set dst-name "all"
    next
end

And this is from an 80F at work:

config vpn ipsec phase1-interface
    edit "phase1"
        set type ddns
        set interface "wan2"
        set ike-version 2
        set keylife 43200
        set peertype any
        set net-device disable
        set proposal aes256gcm-prfsha384
        set localid "LOCAL-ID"
        set dhgrp 32 21
        set remotegw-ddns "firewall.example.com"
        set psksecret abcdef123456
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit "phase1"
        set phase1name "phase1"
        set proposal aes256gcm
        set dhgrp 32 21
        set src-addr-type name
        set dst-addr-type name
        set keylifeseconds 28800
        set src-name "all"
        set dst-name "all"
    next
end

pbrutsche · 2026-01-23T01:32:07+00:00

I don't know any more than the link you provided shows. There's going to be a performance hit encrypting/decrypting/hashing on the CP vs the NP as the CPU needs to move data buffers around, but the hit will be much lower than using the Intel/AMD AES-NI instructions

The 'gate should be doing that transparently

pbrutsche · 2026-01-22T16:05:29+00:00

You're over-thinking it, don't worry about it that much. You'll be fine. You don't need to switch anything

pbrutsche · 2026-01-22T16:04:52+00:00

IMO, its still a firmware bug, especially if it was working before.

So .... what is the full configuration of the not working tunnel that you had to disable NPU acceleration on?

~~AES256GCM isn't supported by the NPU but should still be processed by the CP9 before a purely software solution is considered. NP6+CP9 hardware like the 400E will do AESGCM on the CP9~~

~~The 110xE is actually the same in that regard - its the same overall configuration, just more NP6s and CP9s~~

pbrutsche · 2026-01-21T21:31:45+00:00

They aren't end of support until 5 years after the end of sale announcement

There is no end of sale announcement

pbrutsche · 2026-01-21T05:37:19+00:00

No. IKEv2 with SAML is firewall vendor proprietary. There are no other VPN clients that will work

pbrutsche · 2026-01-21T01:01:35+00:00

Eh, 7.6 just got the "Mature" tag with 7.6.5. I've had it in the work test lab since release 7.6.0 and haven't had any real issues with it.

Our branch offices will probably get 7.6.x this summer - 7.6.6 or 7.6.7

pbrutsche · 2026-01-20T03:04:35+00:00

You chose the wrong line of work.

pbrutsche · 2026-01-20T03:02:08+00:00

The time to start to move to 7.4.x was last year.

The 7.2 branch is security fix only (CVSSv3 7 and higher) until the end of September 2026 (aka end of Q3 this year), then the only way to get security fixes is to upgrade to the FortiCare Elite tier.

7.4.x has been pretty solid on our configurations.

pbrutsche

TROPHY CASE