<div dir="ltr">I have an issue that's a bit off topic, but I am not finding any answers elsewhere. <div><br></div><div>I have a VPN solution that uses Fortinet firewalls as the IKEV2 dialup server. Most of the clients are using the native OS VPN client. Android and Linux use Strongswan as the client. My issue is all my Windows clients disconnect just short of 8 hours. I have been troubleshooting this with Microsoft, and we have collected traces/logs/debugs/pcaps of both the start of the sessions and the disconnect. What we are seeing is the client sending a CREATE_CHILD request around 10 mins before disconnect:</div><div><br></div><div>2020-04-29 08:07:48.412159 ike 3: comes <CLIENT>:64916-><SERVER>:4500,ifindex=8....<br>2020-04-29 08:07:48.412193 ike 3: IKEv2 exchange=CREATE_CHILD id=5d8de86e535542e2/948c1c910eb938e4:00000017 len=84<br>2020-04-29 08:07:48.412223 ike 3: in 5D8DE86E535542E2948C1C910EB938E435202408000000170000005400000038000200024A4594698B4D940D0EA2EA504C7581121DF2E0A27C11B3252D16C24673261A81E6F18EE6D334F2CAB4E7EE4462D2D948<br>2020-04-29 08:07:48.412275 ike 3:ikev2_vpn_0:109665: request msgid = 23, expected 24<br></div><div><br></div><div>This happens 10 times and then the client disconnects. </div><div><br></div><div>Phase 1 negotiates with a lifetime of 86400 (24 hours):</div><div><br></div><div>2020-04-29 00:25:38.418147 ike 3:5d8de86e535542e2/0000000000000000:109665: matched proposal id 4<br>2020-04-29 00:25:38.418174 ike 3:5d8de86e535542e2/0000000000000000:109665: proposal id = 4:<br>2020-04-29 00:25:38.418196 ike 3:5d8de86e535542e2/0000000000000000:109665: protocol = IKEv2:<br>2020-04-29 00:25:38.418218 ike 3:5d8de86e535542e2/0000000000000000:109665: encapsulation = IKEv2/none<br>2020-04-29 00:25:38.418265 ike 3:5d8de86e535542e2/0000000000000000:109665: type=ENCR, val=AES_CBC (key_len = 256)<br>2020-04-29 00:25:38.418288 ike 3:5d8de86e535542e2/0000000000000000:109665: type=INTEGR, val=AUTH_HMAC_SHA2_256_128<br>2020-04-29 00:25:38.418310 ike 3:5d8de86e535542e2/0000000000000000:109665: type=PRF, val=PRF_HMAC_SHA2_256<br>2020-04-29 00:25:38.418332 ike 3:5d8de86e535542e2/0000000000000000:109665: type=DH_GROUP, val=MODP1024.<br>2020-04-29 00:25:38.418354 ike 3:5d8de86e535542e2/0000000000000000:109665: lifetime=86400<br>2020-04-29 00:25:38.418380 ike 3:5d8de86e535542e2/0000000000000000:109665: SA proposal chosen, matched gateway ikev2_vpn<br></div><div><br></div><div>...and Phase 2: </div><div> </div><div>2020-04-29 00:26:08.041641 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: matched proposal id 1<br>2020-04-29 00:26:08.041664 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: proposal id = 1:<br>2020-04-29 00:26:08.041686 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: protocol = ESP:<br>2020-04-29 00:26:08.041708 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: encapsulation = TUNNEL<br>2020-04-29 00:26:08.041730 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: type=ENCR, val=AES_CBC (key_len = 256)<br>2020-04-29 00:26:08.041752 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: type=INTEGR, val=SHA<br>2020-04-29 00:26:08.041774 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: type=ESN, val=NO<br>2020-04-29 00:26:08.041796 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: PFS is disabled<br>2020-04-29 00:26:08.041818 ike 3:ikev2_vpn:109665:ikev2_vpn:42893: lifetime=43200<br></div><div><br></div><div>Auth is PEAP or EAP-MS-CHAPV2.</div><div><br></div><div>Any ideas on this? MS doesn't seem to understand what's going on, they are keying in on the "
2020-04-29 08:07:48.412275 ike 3:ikev2_vpn_0:109665: request msgid = 23, expected 24" error. I'd like to know what that means as well. At this point I am just asking to extend the disconnect to say 12 hours so our users can get through a work day without being disconnected. </div><div><br></div><div>Thanks,</div><div>Chris.</div></div>