By default, the FortiGate IPsec negotiation has a 30-second timeout. This means the FortiGate will wait for a response from the peer for no longer than 30 seconds.
In the output below, we can see that the FortiGate sent ident_i1send, but did not receive a response from the peer within the 30-second window, resulting in a connection timeout.
Alza-KVM # diag deb reset
Alza-KVM # diag deb app ike -1
Alza-KVM # diag deb enable
Alza-KVM # diag deb console timestamp enable
2025-01-09 12:34:28.120523 ike V=root:0:TEST: auto-negotiate connection 2025-01-09 12:34:28.122556 ike V=root:0:TEST:TEST: created connection: 0xff4a6b0 3 10.47.1.77->10.47.3.146:500. 2025-01-09 12:34:28.125303 ike V=root:0:TEST:16: initiator: main mode is sending 1st message... 2025-01-09 12:34:28.127912 ike V=root:0:TEST:16: cookie cf5294e1886d4c3a/0000000000000000 2025-01-09 12:34:28.130501 ike 0:TEST:16: out CF5294E1886D4C3A000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2025-01-09 12:34:28.155479 ike V=root:0:TEST:16: sent IKE msg (ident_i1send): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000 2025-01-09 12:34:31.127102 ike 0:TEST:16: out CF5294E1886D4C3A000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2025-01-09 12:34:31.145221 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000 2025-01-09 12:34:37.125672 ike 0:TEST:16: out CF5294E1886D4C3A000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2025-01-09 12:34:37.151208 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000 2025-01-09 12:34:49.118769 ike 0:TEST:16: out CF5294E1886D4C3A000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 2025-01-09 12:34:49.146385 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000 2025-01-09 12:34:58.122471 ike V=root:0:TEST:16: negotiation timeout, deleting 2025-01-09 12:34:58.123722 ike V=root:0:TEST: connection expiring due to phase1 down 2025-01-09 12:34:58.124912 ike V=root:0:TEST: going to be deleted
This negotiation timeout timer can be adjusted only through the CLI:
config vpn ipsec phase1-interface
edit x
set negotiate-timeout Enter an integer value from <1> to <300> (default = <30>).
end
|