Skip to main content
INT1
INT1
Explorer
October 18, 2024
Question

IPSEC VPN connection error

  • October 18, 2024
  • 3 replies
  • 5446 views

Hello, i have an error with connecting to IPSEC vpn IKEV2 using Azure AD email whats happening is after i get the pop up to enter the credenials after i enter and get the 2FA popup it says VPN connection is down and when i check the logs i get this error:

 image.png

i tried turning off the firewall on the device im trying to connect from, i restarted the services, removed and redownloaded the vpn and still nothing is changing 

3 replies

AEK
SuperUser
AEK
SuperUser
October 18, 2024

Hi INT1

Try run this on FG.

diagnose debug console timestamp enable

diagnose debug app ike -1

diagnose debug app fnbamd -1

diagnose debug

AEK
INT1
INT1Author
Explorer
October 18, 2024

to give abit mroe details there is no misconfiguration in the VPN IPSEC or anything related in the firewall but im having some issues with some users each different but this i couldn't find a solution to

Jz_FTNT
Staff
Jz_FTNT
Staff
October 23, 2024

you said some users having issues. Are those users using WiFi ? Does it make a difference if they switch to ethernet connection ?

AEK
SuperUser
AEK
SuperUser
October 19, 2024

So in summary, client says phase1 retransmit reaches maximum count, and server doesn' receive from client and says negotiation timeout.

In addition to Patel's suggestion (try using other ISP), you may also try using a stable FCT version, like 7.2.5 or 7.0.13.

Also you said the issue happens to some users. Is there any common thing between these users? Like they have Windows 11? Or a specific NIC driver? Or they are stored on other authentication server? Or anything else?

AEK
INT1
INT1Author
Explorer
October 21, 2024

we have tried doing it while connected on hotspot and it didnt work, what i have done is tried to connect using ssl and it went through but on ipsec its having a problem connecting for now this exact issue only happened on 1 device but there is some similar issues

 

tpatel
Staff
tpatel
Staff
October 21, 2024

Hello Int1, 

 

Run wireshark on user pc and also run packet capture on wan interface. Once vpn getting disconnect/failed compare packet leaving from fortigate wan interface to user public pc packet capture. 
check are you seen all packet. 

    INT1
    INT1Author
    Explorer
    November 1, 2024

    Hello, the issue is still haven't been solved till now i still cant put a finger on whats the problem, its only happening on ipsec. With ssl i can connect but trying with ipsec local user or SSO its causing an issue, we migrated from ipsec to ssl since the update and we only have ssl available for now on another firewall but we will change to IPSEC vpn

    AEK
    SuperUser
    AEK
    SuperUser
    November 2, 2024

    Hi INT1.

    Does it give the same behavior when you disable MFA for IPsec?

    AEK
    INT1
    INT1Author
    Explorer
    November 4, 2024

    i didnt try disabling MFA but i tried entering using a local user on fortigate and it was the same issue

     

    Terms & ConditionsAccessibility statement