|
The following error message may be observed in the exported FortiClient debug logs:
msg="No response from the peer, phase1 retransmit reaches maximum count"
The message below may also appear on FortiClient:
On the FortiGate, debug settings vary depending on the firmware version.
If the FortiGate is running on v7.2.x, below logs may be seen in the IKE debugs.
diagnose debug reset
diagnose debug app ike -1
diagnose debug console timestamp enable
diagnose debug enable
2024-09-03 05:14:29.602513 ike 0:ae258a933eed2138/0000000000000000:65: SA proposal chosen, matched gateway FCT_Ipsec
2024-09-03 05:14:29.602580 ike 0:FCT_Ipsec: created connection: 0x7ca2e20 7 192.168.1.75->192.168.1.74:500.
2024-09-03 05:14:29.602612 ike 0:FCT_Ipsec:65: DPD negotiated
2024-09-03 05:14:29.602631 ike 0:FCT_Ipsec:65: XAUTHv6 negotiated
2024-09-03 05:14:29.602661 ike 0:FCT_Ipsec:65: peer supports UNITY
2024-09-03 05:14:29.602678 ike 0:FCT_Ipsec:65: enable FortiClient license check
2024-09-03 05:14:29.602697 ike 0:FCT_Ipsec:65: enable FortiClient endpoint compliance check, use 169.254.1.1
2024-09-03 05:14:29.602715 ike 0:FCT_Ipsec:65: selected NAT-T version: RFC 3947
2024-09-03 05:14:29.602755 ike 0:FCT_Ipsec:65: generate DH public value request queued
2024-09-03 05:14:29.602792 ike 0:FCT_Ipsec:65: failed to compute DH shared secret
2024-09-03 05:14:29.602863 ike 0:FCT_Ipsec: connection expiring due to phase1 down
2024-09-03 05:14:29.602883 ike 0:FCT_Ipsec: deleting
2024-09-03 05:14:29.602905 ike 0:FCT_Ipsec: deleted
On devices running FortiOS versions 7.4.x and 7.6.x, the message ‘compute DH shared secret request’ repeatedly appears in a loop in the IKE debug logs, as shown below.
ike V=root:0:bc230472d864dae5/0000000000000000:306: SA proposal chosen, matched gateway Test_Ipsec
ike V=root:0:Test_Ipsec: created connection: 0x9fd7a80 7 192.168.1.77->192.168.1.75:1012.
ike V=root:0:Test_Ipsec:306: DPD negotiated
ike V=root:0:Test_Ipsec:306: XAUTHv6 negotiated
ike V=root:0:Test_Ipsec:306: peer supports UNITY
ike V=root:0:Test_Ipsec:306: enable FortiClient license check
ike V=root:0:Test_Ipsec:306: enable FortiClient endpoint compliance check, use 169.254.1.1
ike V=root:0:Test_Ipsec:306: selected NAT-T version: RFC 3947
ike V=root:0:Test_Ipsec:306: generate DH public value request queued
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
.
****** Thousands of identical lines have been omitted ******
.
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
ike V=root:0:Test_Ipsec:306: compute DH shared secret request queued
ike V=root:0:Test_Ipsec:306: negotiation timeout, deleting
ike V=root:0:Test_Ipsec: connection expiring due to phase1 down
ike V=root:0:Test_Ipsec: going to be deleted
diagnose debug disable <----- Use this command to stop the debug.
This issue has been resolved in:
v7.6.5 (scheduled to be released in December 2025).
v8.0.0 (scheduled to be released in March 2026).
These timelines for firmware release are estimated and may be subject to change.
Workarounds:
- Use IKEv2 instead of IKEv1.
- If IKEv1 is required, use Main Mode instead of Aggressive Mode.
- When using IKEv1 Aggressive Mode, ensure that only one common Diffie-Hellman (DH) group is configured in both Phase 1 and Phase 2 on the FortiGate and FortiClient for the IPsec dial-up VPN.
As seen in the screenshot below, two DH groups (4 and 15) are being used in the FortiClient configuration.
Select only one DH group on the FortiGate or the FortiClient. If DH groups 14 and 5 are selected on the FortiGate, then use only either 14 or only 5 on FortiClient.
To make the changes in FortiClient, navigate to IPsec VPN -> Advanced settings -> Phase 1 -> Select 14/5:
In Phase 2, select DH 5:
Related article:
Technical Tip: Generate DH public value request pending and compute DH shared secret request pending...
|
