Skip to main content
A
Anonymous_User
Contributor
April 29, 2009
Question

IPSec Phase 1 Error

  • April 29, 2009
  • 5 replies
  • 11485 views
Hi, I am having problem in establishing a site to site IPSEC to a third party VPN device (Zyxel DSL CPE). I have confirmed that i am using correct/same IKE gateway, Authentication and Encryption settings on both ends. The log i am getting on Fortigate firewall says: FG_VOPIUM_LHR # id=20085 trace_id=46 func=resolve_ip_tuple_fast line=2810 msg=" vd-root received a packet(proto=1, 192.168.0.83:1024->10.0.0.1:8) from internal." id=20085 trace_id=46 func=resolve_ip_tuple_fast line=2837 msg=" Find an existing session, id-00098da4, original direction" id=20085 trace_id=46 func=ipsec_tunnel_output4 line=750 msg=" enter IPsec tunnel-DK-LANp1" id=20085 trace_id=46 func=ipsec_common_output4 line=555 msg=" SA is not ready yet, drop" id=20085 trace_id=47 func=resolve_ip_tuple_fast line=2810 msg=" vd-root received a packet(proto=1, 192.168.0.83:1024->10.0.0.1:8) from internal." id=20085 trace_id=47 func=resolve_ip_tuple_fast line=2837 msg=" Find an existing session, id-00098da4, original direction" id=20085 trace_id=47 func=ipsec_tunnel_output4 line=750 msg=" enter IPsec tunnel-DK-LANp1" id=20085 trace_id=47 func=ipsec_common_output4 line=555 msg=" SA is not ready yet, drop" While on the remote end, i am getting a IKE Packet Retransmit error. I am unable to find any solution for this problem. One thing also i would mention that i have 3 other IPSEC tunnels to my other remote site working fine... The IKE gateway on that site is Cisco ASA. Thanks in advance. Regards Naveed

    5 replies

    g3rman
    g3rman
    New Member
    April 29, 2009
    Hi Naveed, welcome to the forums. I haven' t seen that particular error before but I would suggest checking the time/date setting on both firewalls to ensure they match. Also, is the output you posted from the following command " diag debug app ike 3<ip address of remote endpoint>" ?
    A
    Anonymous_UserAuthor
    Contributor
    April 30, 2009
    Hi, I have verified the time on both of gateways, both gateways are in different time zones but configured properly with the correct time. The output is the result of these commands while i try to ping the remote end CPE: diag debug en diag debug flow filter addr 10.0.0.1 diag debug flow show console en diag debug flow show function-name en diag debug flow trace start 100 Regards, Naveed
    g3rman
    g3rman
    New Member
    April 30, 2009
    Ok, why don' t you try
    diag debug app ike 3 <ip address of remote firewall>
    and post that here. That might give some better indication as to what might be happening when trying to establish the tunnel.
    doshbass
    doshbass
    New Member
    April 30, 2009
    id=20085 trace_id=47 func=ipsec_tunnel_output4 line=750 msg=" enter IPsec tunnel-DK-LANp1" id=20085 trace_id=47 func=ipsec_common_output4 line=555 msg=" SA is not ready yet, drop"
    G3rman is right. teh above snippet of debug from teh flow is simply saying, The tunnel is not up so I can' t go any further. Run teh Diag debug app ike as advised. Also idf possible try to look at the logs on teh other device at the same time. I would suspect that you have left your P2s at 0.0.0.0/0 whilst the other end is being more specific. The only reason I say that is because it is the most common mistake
    g3rman
    g3rman
    New Member
    April 30, 2009
    Hooray, I finally got something right!!! (The Germans have a saying of " Even a blind chicken will find a grain of corn" ) :)
    Terms & ConditionsAccessibility statement