Skip to main content
Tomioka
Tomioka
New Member
April 26, 2022
Question

IPsec aggregate with 2 WAN ISPs works but warning message remains

  • April 26, 2022
  • 2 replies
  • 2523 views

Hi community folks,

 

I'm currently trying to setup IPsec aggregate with 2 WAN ISP links.

 

After all the configuration(IPsec phase1-interface, phase2-interface, ipv4 policy, routes),

both IPsec tunnels comes up and actually it work perfectly as expected,

except the warning messages in GUI.

 

Do someone experienced same issues or any tips to erase these warning messages ?

 

===

Model: Fortigate-50E

FortiOS: v6.2.9 build1234 (GA) [* tried newest v6.2.10 build1263 (GA), but same]

Issues: Warning message remains in GUI

 

1. IPsec tunnels both up.

1.IPsecTunnels.png

 

 

 

 

 

 

 

2. IPsec aggregate members are both show as "Phase2 tunnel is not configured". (Strange)

2.IPsecTunnels_aggregate.png

 

 

 

 

 

 

 

3. IPsec aggregate interface shows LinkDown, but actually working. (Strange)

3.IPsecInterface_down.png

 

 

 

 

 

 

4. As a result interface LinkDown, related IPv4 Policy show warning, but actually working. (Strange) 

4.Policy_warning.png

 

 

 

 

 

 

 

 

 

===

 

Since I'm now working with test environment(without care support contract), I can't open TAC ticket so far.

 

Thanks,

Tomioka

 

2 replies

jintrah_FTNT
Staff
jintrah_FTNT
Staff
April 26, 2022

Hello,

 

Which browser are you using? Is this behavior seen on different browsers?

 

Best regards,

Jin

Tomioka
TomiokaAuthor
New Member
April 26, 2022

Hello Jin,

 

I've checked with Firefox and Google chrome, but no luck.

 

Thanks,

Tomioka

jintrah_FTNT
Staff
jintrah_FTNT
Staff
April 26, 2022

Hi Tomioka,

 

Thanks to check this from different browsers. The issue may be cosmetic and may be reported to support after gaining required contracts.

 

Best regards,

Jin

 

 

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
April 26, 2022

Hey Tomioka,

you can also check for phase2 information via CLI.

You can refer to this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955
In particular the 'diagnose vpn tunnel list' command might be of use; the 'src x.x.x.x dst y.y.y.y' entries would indicate what P2 selectors there are and this might be missing if no P2 is established.

Tomioka
TomiokaAuthor
New Member
April 26, 2022

Hello Debbie,

 

Thank you for the suggestion. I've checked the both tunnel.

It shows both status sa=1, looks fine for me...

 

 

FG50E # diagnose vpn tunnel list name AzureVWANph1A list ipsec tunnel by names in vd 0 ------------------------------------------------------ name=AzureVWANph1A ver=2 serial=3 XXX.XXX.XXX.XXX:0->XXX.XXX.XXX.XXX:0 dst_mtu=1454 bound_if=33 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0  proxyid_num=1 child_num=0 refcnt=10 ilast=5 olast=5 ad=/0 stat: rxp=5860 txp=7276 rxb=3004896 txb=594151 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=14004 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=AzureVWANph2A proto=0 sa=1 ref=2 serial=1   src: 0:0.0.0.0/0.0.0.0:0   dst: 0:0.0.0.0/0.0.0.0:0   SA:  ref=3 options=10001 type=00 soft=0 mtu=1390 expire=26055/0B replaywin=0        seqno=27 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1   life: type=01 bytes=0/0 timeout=26727/27000   dec: spi=f372fdf6 esp=aes key=32 f9061937a795a90bdc23fdf95cd6312fd87e9fbc06296d8bcd6971d54a4XXXXX        ah=sha1 key=20 e1dda2d640b383fdad20858458e06873d00XXXXX   enc: spi=df67bb48 esp=aes key=32 ec2f5a2f355e116c30c9a67776b53577cf85c6484b96855f4b0e438afa6XXXXX        ah=sha1 key=20 ce0dedc090d281e3513424e66bea307fb6aXXXXX   dec:pkts/bytes=17/2756, enc:pkts/bytes=38/4912 run_tally=0  FG50E #   FG50E # diagnose vpn tunnel list name AzureVWANph1B list ipsec tunnel by names in vd 0 ------------------------------------------------------ name=AzureVWANph1B ver=2 serial=4 XXX.XXX.XXX.XXX:0->XXX.XXX.XXX.XXX:0 dst_mtu=1454 bound_if=30 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0  proxyid_num=1 child_num=0 refcnt=6 ilast=8 olast=8 ad=/0 stat: rxp=164 txp=0 rxb=42624 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=13770 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=AzureVWANph2B proto=0 sa=1 ref=2 serial=1   src: 0:0.0.0.0/0.0.0.0:0   dst: 0:0.0.0.0/0.0.0.0:0   SA:  ref=3 options=10000 type=00 soft=0 mtu=1390 expire=26647/0B replaywin=0        seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1   life: type=01 bytes=0/0 timeout=26731/27000   dec: spi=f372fdf7 esp=aes key=32 e11422a64da2258840774dfa584d47e9da7f04157deb0e702c8aff01c08XXXXX        ah=sha1 key=20 1ea87511a759bc1ca75f7cf22a9311d0a6fXXXXX   enc: spi=146a657c esp=aes key=32 11064f035e143cba58d70a1349b18a50b30d64a41e3a9c2a581c4ed3867XXXXX        ah=sha1 key=20 7bfbd88544c290d4e898fba281e65653c7eXXXXX   dec:pkts/bytes=3/491, enc:pkts/bytes=0/0 run_tally=0  FG50E #

 

 

Thanks,

Tomioka

Terms & ConditionsAccessibility statement