Technical Tip: How to troubleshoot error "no match for shortcut-reply" in ADVPN
| Description | The article describes what steps to undertake to resolve shortcut tunnel not forming between spokes due to the error message "no match for shortcut-reply" |
| Scope | All FortiOS versions |
| Solution | Consider the below scenario wherein the network topology looks like: Hub--->Spoke 1 Hub---> Spoke 2 Spoke 1 ---> Spoke 2 - shortcut tunnel is not forming Hub IP - 10.103.3.214 Spoke 1 IP - 10.103.3.216 Spoke 2 IP - 10.40.51.197 Spoke 1 Lan - 10.103.3.216 Spoke 2 Lan - 10.104.3.197 >> If you observe the error message log as below on the Hub or any of the Spoke sites: ike 0:advpn-hub_0: notify msg received: SHORTCUT-REPLY ike 0:advpn-hub_0: no match for shortcut-reply 1175635844485928790 44a30045af7ec345/43b7cdace2605101 10.40.51.197 to 10.103.3.216 psk 64 ppk 0, drop
>> This error comes when the firewall does not have a correct route to forward the "shortcut reply" to and forwards it out the wrong interface.
>>In the scenario described above the Shortcut Reply from Spoke 2 for Spoke 1 LAN subnet is received on the HUB but upon route lookup, the following is observed: ike 0:advpn-hub: iif 21 10.104.3.197->10.103.3.216 route lookup oif 21 wan1
>> Firewall finds a route out the wan 1 interface which is incorrect as the route should be found over the tunnel interface facing the Spoke 1.
>>In such cases, always check the route lookup and ensure the firewall returns the correct tunnel interface over which the shortcut reply should be forwarded. >> If not then check whether correct routing is configured in the customer environment. >> In the case of SDWAN, ensure to check SDWAN rules are configured correctly. |