Skip to main content
A
Anonymous_User
Contributor
March 7, 2007
Question

VPN not working after update firmware

  • March 7, 2007
  • 7 replies
  • 8964 views
After I update firmware my VPN not working, following is my scenario FGT 100A 3.0 build 0477 operation mode NAT FGT 50A 3.0 build 0406 operation mode Transparent VPN connecting from FGT 50A to FGT 100A Is it need any config. changes

    7 replies

    rwpatterson
    rwpatterson
    New Member
    March 7, 2007
    Which one(s) did you update, and from what release(s)?
    A
    Anonymous_UserAuthor
    Contributor
    March 8, 2007
    both FGT updated from factory default to 2.8 MR11 then 3.0
    A
    Anonymous_UserAuthor
    Contributor
    March 7, 2007
    Hi Sabuthomas, Please read the release notes on MR4. Regards, Eric
    A
    Anonymous_UserAuthor
    Contributor
    March 13, 2007
    Hi.... I' v been doing this too and the VPN wouldn' t work, maybe you should configure it from the scratch....by the way i also got problem with protection profiles and they don' t work too. I think it always problem if we upgraded from v2.8 MR11 to v3.0. I do not know why? Maybe others can give an answer?
    A
    Anonymous_UserAuthor
    Contributor
    March 14, 2007
    My remote peer getting following error, Negotiate SA Error: No matching gateway for new phase 1 request My remote FGT config as follows Operation Mode: NAT Firmware Fortigate-100A 3.00,build0477,070126 My other end FGT config as follows Operation Mode Transparent Firmware Fortigate-50A 3.00,build0400 If I downgrade to 2.8 MR11 on FGT100A then my VPN is working fine. Anybody have any such experiance please help me
    rwpatterson
    rwpatterson
    New Member
    March 14, 2007
    Just a question. Have you tried MR3 patch 6 on the 100A? Im curious if it is an MR4 thing, or a non MR2 issue. Fortinet rewrote the IPSec section of their firmware between 2.8 and 3.0.
    Paul_Dean
    Paul_Dean
    Visitor III
    March 14, 2007
    Hi Sabuthomas, I had the same problem when I upgraded a 50A to version 3 firmware from 2.8. The problem I had was caused by the 50A sending out IPSEC packets using the source IP of a secondary IP address and not the primary IP of the main interface. I verified this by using debug commands in the cli. diagnose debug application ike 3 diagnose debug enable You can see the IPSEC Phase1 initial request coming into the firewall from the remote end and the source IP was different to the one it was supposed to use. This might not be your problem however and I would agree with ATA and delete the entire vpn config and start again which will most likely work. Cheers Paul
    A
    Anonymous_UserAuthor
    Contributor
    March 14, 2007
    A very strange thing which I found is that, as per my following scenario Main Office FGT100A NAT Mode Branch office FGT50A Tranparent Mode Ver 3.00 build 400 My VPN will work fine if I downgrade my main office to 2.8 MR11 without changing any configuration in VPN in both end But when I upgrade my main office to 3.0 MR4 then my VPN failed and I received error massage “Negotiate SA Error: No matching gateway for new phase 1 request.” In my main office FGT and no error message in my branch office FGT
    rwpatterson
    rwpatterson
    New Member
    March 14, 2007
    Did you follow the correct upgrade path when moving from v2.80 to v3MR4? You have to go through v2.8MR11 or higher first, before going to v3MR4. Check out the FortiOS v3.00 MR4 release notes (section 3.2) for more information.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    March 15, 2007
    Before you start guessing, pls debug the problem. in cli: diag debug enable diag debug app ike 3 you will get messages on the screen and if you capture them it will be easy to see the problem. stop logging with diag debug disable cheers, eric
    Paul_Dean
    Paul_Dean
    Visitor III
    March 18, 2007
    Hi Sabuthomas, on the firewall that is receiving the incoming packets with the wrong source address (eg the 100A) edit the phase1 vpn settings for that vpn and change the gateway IP to the IP which is the source of the incoming packet coming from the other firewall (eg the 50A) Beware though, if you upgrade the firewall firmware it may start using the correct IP. That' s my experience of the problem. You could also configure the FG to use a phase1 interface and specify an IP address for that VPN interface. That way all packets coming from the FG for that VPN should use the source IP you expect. Hope that helps and my explanation is clear. Cheers Paul
    A
    Anonymous_UserAuthor
    Contributor
    March 18, 2007
    Hi Paul, I did the same experiment; my tunnel is up but no network access, FGT 50A Remote gateway type is Static IP Address and IP address is 83.111.---.--- this is the public IP of my remote FGT 100A When I check the incoming traffic from 50A I found another IP 83.110.---.--- When I set this IP in FGT100A as remote gateway, my tunnel is up but I could not have any network access. Please help me to configure VPN phase 1 in 100A as per following scenario Main office FGT 100A NAT mode Branch office FGT 50A Transparent mode Branch office connect to main office, main office did not need any network access to branch office When firmware was 2.8 my connection was fine, after I upgrade to 3 following become my vpn configuration FGT 50A Remote Gateway: Static IP Address IP Address 83.111.---.--- FGT100A Remote Gateway: DynamicDNS Dynamic DNS: blank (If I change Dynamic DNS to Static IP Address and IP address become same incoming address from FGT50A then my tunnel up, but no network access)
    Paul_Dean
    Paul_Dean
    Visitor III
    March 18, 2007
    Hi Sabuthomas, sounds like you are making progress. If your phase2 tunnel shows up at both ends then phase1 and phase2 are correctly configured. Next you need to look at your firewall policies assuming you are not using VPN interface mode which requires very different configs. On both firewalls under " Firewall -> Address" make sure you have defined both local and remote networks eg: FG100A = 10.10.10.0/24 and FG50A = 10.20.20.0/24. For each firewall under " Firewall -> Policy" make sure you have defined an encryption policy such as: FG50A - Internal (10.20.20.0/24) to External (10.10.10.0/24) Always Any IPSEC and select your phase2 tunnel. FG100A - Internal (10.10.10.0/24) to WAN1 (10.20.20.0/24) Always Any IPSEC and select your phase2 tunnel. Make sure the polices are at the top of the list and that should work. Let me know how you get on. Cheers Paul
    A
    Anonymous_UserAuthor
    Contributor
    March 19, 2007
    Dear All, Finally I had successfully up my tunnel, my heartiest thanks to all for participating this topics and giving your valuable ideas. Following is the solution which we found after our experiments when we upgrading firmware from 2.8 to 3 Solution is based on my following scenario Main office FGT100A old firmware 2.8 MR11 upgraded to 3.00 build 0477 mode NAT Branch office FGT50A old firmware 2.8 upgraded to 3.0 build 400, mode transparent, connecting through internet using DSL Brach office connecting to main office no connection needs main office to branch office. Following is VPN config before upgrading FGT 50A Remote Gateway: Static IP Address IP Address: Public IP of FGT100A FGT100A Remote Gateway: Dynamic DNS Dynamic DNS: <blanks> Following changes we need to do when we upgrading to 3.0 No changes need in FGT50A In FGT100A Dynamic DNS need value (I did a trick to get the DNS value by typing tracert <incoming ip address of FGT50A> in command prompt) Thanks once again to all Sabu Thomas, MBA, CISM,CISA IT Manager Minako General Trading CO LLC Dubai, U.A.E sabu@minako.ae www.minako.ae
    Terms & ConditionsAccessibility statement