(if you have HW offloading, you may need to disable it in order to see the packets in captures)
If the FortiGate forwards everything, and doesn't mess up the payloads, it is innocent. Maybe the server-side is trying to rekey and that fails?Īnyway, here's what you should do: Make a packet capture in front (LAN-side) and behind (WAN-side) the FortiGate, and then compare the packet payloads. Given that you mention 20-30 minutes to failure, it's not likely to be caused by client-side re-negotiation (unless it's the idle timeout). 8 hours keylife for phase1/IKE (again, renegotiated shortly before) 1 hour keylife for phase2/ESP (client will re-negotiate it shortly before expiration) or after 250 MBs transmitted (approx) 5 minutes idle timeout (if there's no traffic in the tunnel, or outgoing one-way, the client will tear down the phase2/ESP SA)
Here's some default timers you might find useful: (failing re-key, malformed payloads in certain scenarios, refusing to rekey despite the exact same ciphersuite being used as during initial negotiation, default/GUI-configurable crypto being shit, etc.) I've been testing the native IKEv2 client recently, and to be perfectly frank, the native client does all sorts of weird crap. Sharing dumps violates a reddit global rule and may result in a site-wide ban. Posting brain or answer dumps for Fortinet certifications is prohibited as they are copyrighted material. What you have already tried as part of your troubleshooting process.Version and type of software being impacted (i.e.Some examples of useful information are the following: Next, please provide us as much information about your problem as you possibly can. If you're having a problem with a Fortinet product, first, make sure you submit your request to Fortinet TAC if you have a valid support contract. Here you can ask for help, share tips and tricks, and discuss anything related to Fortinet and Fortinet Products. Fortinet is a global leader and innovator in Network Security.
0 kommentar(er)
