Skip to main content
jo_rang
Staff
jo_rang
Staff
June 24, 2025

Troubleshooting Tip: IPsec VPN 'error 22:Invalid argument' message

  • June 24, 2025
  • 0 replies
  • 1068 views
Description

This article provides guidance on troubleshooting Site-to-Site VPN connectivity issues when Phase1 is down and the message 'error 22:Invalid argument' is seen in the IKE debugs. 
Scope FortiGate.
Solution

In this scenario, a Site-to-Site VPN was configured with the following phase1 parameters:

 

config vpn ipsec phase1-interface
    edit "VPNtoHQ"
        set interface "wan1"

        set ike-version 2
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
        set remote-gw 192.168.254.100
        set psksecret ENC /Va2TfR2mi8+VzLRPdcGo2H4ABixT

oKNJ3QFvx7z3kv/2XgDjCjxRJIQkGRRPDpwKpd3N2HVOG7c6bV3obL1gSsa/d
   next
end

 

The messages 'could not send IKE Packet' and 'error 22:Invalid argument' are observed when running the following debug commands:

 

diagnose vpn ike log filter rem-addr4 192.168.254.100

diagnose debug application ike -1

diagnose debug enable

 

ike V=root:0:VPNtoHQ:VPNtoHQ: created connection: 0x55a1e37350 3 172.25.183.180->192.168.254.100:500.
ike V=root:0:VPNtoHQ:VPNtoHQ: chosen to populate IKE_SA traffic-selectors
ike V=root:0:VPNtoHQ: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike V=root:0:VPNtoHQ:8524: generate DH public value request queued
ike V=root:0:VPNtoHQ:8524: create NAT-D hash local 172.25.183.180/500 remote 192.168.254.100/500
ike 0:VPNtoHQ:8524: out 4A38670E61A78A5200000

000000000002120220800000000000002A02200011802

000034010100050300000C0100000C800E0

0800300000802000005030000080300000C0300000804

000005000000080400000E02000034020100050300000

C0100000C800E0100030000080200000503

0000080300000C0300000804000005000000080400000

E0200002C030100040300000C01000014800E00800300

00080200000503000008040000050000000

80400000E0200002C040100040300000C01000014800E

010003000008020000060300000804000005000000080

400000E0200002805010004030000080100

001C03000008020000050300000804000005000000080

400000E0000002C060100040300000C0100001C800E01

00030000080200000503000008040000050

00000080400000E28000108000E0000E2115C2AD4F76A

5F67BAFEF43370E3BF3B0966D08910FC986FB09FCAFC3

1335FE564874A84C777270BCDB665ED3118

ike V=root:0:VPNtoHQ:8524: could not send IKE Packet(SA_INIT):172.25.183.180:500->192.168.254.100:500, len=672, vrf=0: error 22:Invalid argument

ike 0:VPNtoHQ:8524: out 4A38670E61A78A52000000

00000000002120220800000000000002A0220001180200

0034010100050300000C0100000C800E0

0800300000802000005030000080300000C03000008040

00005000000080400000E02000034020100050300000C0

100000C800E0100030000080200000503

0000080300000C0300000804000005000000080400000E

0200002C030100040300000C01000014800E0080030000

080200000503000008040000050000000

80400000E0200002C040100040300000C01000014800E0

1000300000802000006030000080400000500000008040

0000E0200002805010004030000080100

001C030000080200000503000008040000050000000804

00000E0000002C060100040300000C0100001C800E0100

030000080200000503000008040000050

00000080400000E28000108000E0000E2115C2AD4F76A

5F67BAFEF43370E3BF3B0966D08910FC986FB09FCAFC3

1335FE564874A84C777270BCDB665ED3118

ike V=root:0:VPNtoHQ:8524: could not send IKE Packet(RETRANSMIT_SA_INIT):172.25.183.180:500->192.168.254.100:500, len=672, vrf=0: error 22:Invalid argument 

 

This error occurs when there is a blackhole route to the IP address of the remote-gw configured in phase-1.

 

A blackhole route is a static route that silently discards traffic without notifying the source (unlike a reject route, which sends back an ICMP message). In FortiOS, blackhole routes are commonly used for:

  • Preventing routing loops.

  • Triggering route failover behavior.

  • Ensuring that unmatched traffic does not go anywhere.

 

But when misconfigured or too general, a blackhole route can interfere with VPN traffic, especially Phase 1 IKE negotiations.

 

get router info routing-table details 192.168.254.100

Routing table for VRF=0
Routing entry for 192.168.254.100/32
Known via "static", distance 10, metric 0, best
* directly connected, Null       <----- A black hole route exists to the IP address of the VPN peer.

 

show router static
config router static
    ...
    edit 5

        set dst 192.168.254.100 255.255.255.255

        set blackhole enable

        set vrf 0

    next
end

 

Removing the blackhole route fixes the issue. 

 

config router static

    delete 5

end

 

Related articles:
Terms & ConditionsAccessibility statement