Technical Tip: 'SA is not ready yet, drop'

Description

This article describes the 'SA is not ready yet, drop' message.

Scope

FortiGate.

Solution

In an IPsec site-to-site VPN, communication is not happening.

Run the following commands to check:

diagnose debug disable

diagnose debug reset

diagnose debug flow filter saddr x.x.x.x ---> Where x.x.x.x is the source IP for the traffic.

diagnose debug flow filter daddr y.y.y.y  ---> Where y.y.y.y is the destination IP for the traffic.

diagnose debug flow show function-name enable

diagnose debug flow trace start 999

diagnose debug enable

The output below can appear:

id=20085 trace_id=505 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
id=20085 trace_id=506 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=17, 10.56.103.254:50221->10.191.96.4:33450) from Nexus link. "
id=20085 trace_id=506 func=init_ip_session_common line=5441 msg="allocate a new session-c4241ca3"
id=20085 trace_id=506 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.191.96.4 via IDBHQ_Azure-1"
id=20085 trace_id=506 func=fw_forward_handler line=737 msg="Allowed by Policy-1939:"
id=20085 trace_id=506 func=ids_receive line=269 msg="send to ips"
id=20085 trace_id=506 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-IDBHQ_Azure-1"
id=20085 trace_id=506 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"

'SA is not ready yet, drop' means that the SA (Security Association) for this phase2 itself is not up currently.

To stop the debugs, execute below command:

diagnose debug disable

Check the phase 2 configuration on both sides and make sure that the phase2 selectors are the same.

In cases where phase 2 selectors match but the phase 2 selector configured on one device is a named address group that contains multiple local subnets and multiple remote subnets, and on the remote device, multiple phase 2 selector that matches local and remote subnets are configured, the same behavior where some traffic from some subnets will stop traversing the tunnel.

See example below, as further explained in this KB article: Technical Tip: Explanation of the IKEv2 Phase2 Setting 'initiator-ts-narrow' 

On the debugs, the same error of 'SA is not ready yet, drop' is observed.

FortiGate-1 phase2 selector configuration:

FortiGate-2 phase2 selector configuration:

For example, 'Auto Negotiate' settings are similar on both sites.

If multiple phase2 bound is used to the same phase1, and there are overlapping phase2 subnets, notice this error in the debug flow trace. For instance:

proxyid=traffic1

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

proxyid=traffic2

src: 192.168.10.0/24
dst: 10.0.0.0/16

As shown in the preceding example, proxyid=traffic1 overshadows proxyid=traffic2, confusing which setting to use to send traffic.

Also, it is possible to take the IKE to debug and check the behavior:

diagnose debug disable

diagnose debug reset

diagnose vpn ike log-filter dst-addr4 x.x.x.x <----- Where x.x.x.x is the remote gateway I. 

diagnose debug app ike -1

diagnose debug console timestamp enable

diagnose debug enable

Note:

In IPsec dial-up or remote-access scenarios where the FortiGate acts as a passive responder, it will not initiate IKE negotiations. Traffic sent from the local network before the remote peer starts the tunnel will be dropped with the same message in the flow debug “SA is not ready yet, drop". Enable auto-negotiate on the initiator side, disable passive-mode if enabled or ensure the client initiates the tunnel to prevent this behavior. To enable auto-negotiate, refer to Technical Tip: Using the IPsec auto-negotiate and keepalive options on IPsec VPN tunnel.

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

After 5- 10 seconds, disable the logs by executing:

diagnose debug disable

Related article:

Technical Tip: How to make sure the FortiGate will act as a responder in site-to-site IPsec VPN