Site-to-Site VPN (Static, IKEv1) drops every hour – Fortinet CGW

This issue of hourly tunnel drops in your Site-to-Site VPN connection is likely related to a Phase 1 or Phase 2 lifetime mismatch between your Fortinet customer gateway device and AWS.

The most common causes for this pattern include:

1. IKE/Phase 1 or IPsec/Phase 2 lifetime mismatch: The lifetime values on your Fortinet device may not match AWS parameters, causing rekey issues. This is particularly relevant for IKEv1, as IKEv2 lifetime values are independent of peers.

2. Dead Peer Detection (DPD) timeout: AWS may be timing out DPD after multiple retransmits if your Fortinet device isn't responding to DPD messages properly.

3. Rekey collision: When both sides attempt to rekey simultaneously, it can cause temporary disconnections.

To troubleshoot this issue:

1. Verify that the Phase 1 and Phase 2 lifetime settings on your Fortinet device align with AWS parameters.

2. Check AWS Site-to-Site VPN logs in CloudWatch for specific error messages like "AWS tunnel DPD timed out" or messages about DELETE for IKE_SA or Phase 2 SA, which would indicate the specific cause.

3. Look for messages about CHILD_REKEY collisions in the logs, which could explain the periodic disconnections.

4. Ensure that the encryption domain or traffic selector includes both source and destination networks.

5. Verify that your VPN connection has proper redundancy with a second customer gateway device for better availability.

Since the issue occurs at regular intervals (hourly), it strongly suggests a timer-based issue like lifetime mismatches or scheduled rekey operations that aren't being handled smoothly between AWS and your Fortinet device.
Sources
Troublehsoot connectivity between SIte-to-Site VPN and VPC | AWS re:Post
AWS Site-to-Site VPN logs - AWS Site-to-Site VPN