Skip to main content
Emma02
Emma02
Visitor III
August 22, 2023
Question

FortiGate 100E VPN Error: "Phase 2 Mismatch" After Firmware Update to v6.4.5

  • August 22, 2023
  • 2 replies
  • 2995 views

Hello everyone,

 

I recently updated my FortiGate 100E to firmware version v6.4.5. After the update, I've been encountering a persistent issue with my site-to-site VPN. Every time I try to establish a connection, it fails, and I get a "Phase 2 Mismatch" error in the logs.

 

Before this update, my VPN connection was stable, and there were no issues. The only recent change I made, besides the firmware update, was adding a few firewall policies, but none that should affect the VPN, as far as I can tell. I've double-checked my VPN settings and phase 2 configurations on both ends, and they match.

 

Has anyone else faced a similar issue after updating to v6.4.5? Any guidance on troubleshooting this would be greatly appreciated.

 

I also check this - https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL-VPN/ta-p/211965blue prism course

https://www.reddit.com/r/fortinet/comments/qzq8mu/invalid_http_request_with_azure_saml_ssl_vpn/?rdt=34604

 

Thank you in advance!

2 replies

asengar
Staff
asengar
Staff
August 23, 2023

Hi @Emma02 

Can you confirm if the both ends is FGT or its between FGT to other device.
Which the ike version you are using is it ike v1 (main or aggressive) or ike v2

Also share the ike debugs:

dia vpn ike log-filter dst-addr4  x.x.x.x   >>> x.x.x.x is the remote gateway

dia debug application ike -1

dia debug enable

 

to disable the logs give below command

dia debug disable

Also there is no any known issues for the same in 6.4.5, refer the below document

https://docs.fortinet.com/document/fortigate/6.4.5/fortios-release-notes/236526/known-issues

A
Anonymous_User
New Contributor III
August 23, 2023

Hi @Emma02 ,

I believe this VPN is connected between Fortigate and other vendor.
Most likely this issue is on the phase2.

Some vendor cannot accept Fortigate phase2 grouping.
The solution is to seperate each of the phase2 subnet.

Example:

Local network:
192.168.10.0/24  << number 1
192.168.20.0/24  << number 2

Do not put that 2 subnet in group. Instead, make it individual.
Reference:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/666100/ipsec-vpn-between-a-fortigate-and-a-cisco-asa-with-multiple-subnets

Terms & ConditionsAccessibility statement