Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amrit
Staff & Editor
Staff & Editor

Created on ‎04-29-2025 05:47 AM

Article Id 389685

Technical Tip: ADVPN 2.0 shortcut tunnel does not form, and IKE debug shows error vwl found no viable shortcut, drop exchange

Description This article explains a potential reason why a shortcut may not be established when ADVPN 2.0 is enabled on spokes.
Scope FortiGate v7.4.2+, v7.6.0+.
Solution

Topology :

Source 192.168.200.2----------SPOKE1-----------HUB-----------SPOKE2-----------Destination 192.168.130.2.

 

ADVPN 2.0 is enabled on all the spokes: ADVPN 2.0 edge discovery and path management.

 

While running a ping from the source to the destination, the shortcut tunnel doesn't form, and traffic always flows via the HUB FortiGate.

 

Run IKE debugs on the Spoke1 FortiGate:

 

diagnose debug reset 

diagnose debug console timestamp enable

diagnose debug application ike -1

diagnose debug enable

 

The following error has been noticed in the debugs: 'vwl found no viable shortcut, drop exchange'.

 

ADVPN-SPK1 # 2025-04-26 20:50:47.093646 ike :shrank heap by 126976 bytes
2025-04-26 20:51:05.417217 ike V=root:0: comes 10.9.11.249:500->10.9.12.29:500,ifindex=3,vrf=0,

len=256....
2025-04-26 20:51:05.417827 ike V=root:0: IKEv2 exchange=INFORMATIONAL

id=07402623b9f8ba5e/83e0433c107c9bbc:0000000e len=256
2025-04-26 20:51:05.418427 ike 0: in 07402623B9F8BA5E83E0433C107C9BBC2

E2025000000000E00000100290000E42AFEFED89BBD6A603676B668302E

6983BAB71926476B7699D3118AED9DC98731CE
9C4F842B34C3906AB5E47B1C76430FEA42BCF805F76D933C493BF14B95065754BC0DF

8CF18D9648452E9086D40693B67F37F3F6395B3078E75EB2

AAF00CC2A1C8DF7FB5F

0D7B4EA2710677E965BA0AFD3890F91
04F8E6B49110B6A369BA6AF400203C1097604BDC2BF9D2017DD0EE6888CAF4E9D905F02

ADBC4F281B165CF64A07248B4FBC8BE97C351FA2BE37

B82B6ABE323665C935B6D

F0F50907C9E17F73AA8A8E54BA47531
12FD50911C79293D60950CF11915771FB7556001A67AE203
2025-04-26 20:51:05.420734 ike 0:toHUB1:0: dec 07402623B9F8BA5E83E0433C107C9BBC2E2025000000000E000000D029000004000000B00000F0FBEFBEADDE

000000000100000000010004C0A8C802
00030004C0A8820200070040225D83199FA22570B546617A5C3C9A9A8B84F39D95B494E

3149862719B03DF390395C1776581384EA6235E3D0F91D4358032C3

F40C780BC9BDA7

BEE255253DB5000B00010200000
0000C0001000000000010000100000000000D00040A090C20000F

0002000000000016000208000000001700020000000000180001010000000019000415000000
2025-04-26 20:51:05.422733 ike V=root:0:toHUB1:0: received informational request
2025-04-26 20:51:05.423126 ike V=root:0:toHUB1:0: processing notify type SHORTCUT_OFFER
2025-04-26 20:51:05.423579 ike V=root:0:toHUB1: ikev2_process_shortcut_offer sport 2048,

dport 0, proto 1, iif 21
2025-04-26 20:51:05.424117 ike V=root:0:toHUB1: shortcut-offer

192.168.200.2->192.168.130.2 0 psk 64 ppk 0 ver 2 mode 0, peer-addr 10.9.12.32:0
2025-04-26 20:51:05.424764 ike V=root:0 looking up shortcut by addr 192.168.130.2,

resp-name:, name toHUB1, peer-addr 10.9.12.32:0
2025-04-26 20:51:05.425392 ike V=root:0:toHUB1: send shortcut-query

14610957038111329310 ebf9ec6a142f2a48/0000000000000000

10.9.12.29 192.168.200.2->192.168.130.2 0 ps
k 64 ttl 32 nat 0 ver 2 mode 0 network-id 10
2025-04-26 20:51:05.426352 ike 0:toHUB1:0: enc 0F0E0D0C0B0A0908070605040302010F
2025-04-26 20:51:05.426745 ike 0:toHUB1:0: out 07402623B9F8BA5E83E0433C107C9BBC2E2025280000000E0000005000000034E81FD5ADD88A156383F1680D9527CA

3515BA5D44FDCACFC514460F29
C5BF5A0F427C9BE1ABA3E9B9400B3D91103A770D
2025-04-26 20:51:05.427718 ike V=root:0:toHUB1:0:

sent IKE msg (INFORMATIONAL_RESPONSE): 10.9.12.29:500->10.9.11.249:500,

len=80, vrf=0,

id=07402623b9f8ba5e/83e0433c10
7c9bbc:0000000e, oif=3
2025-04-26 20:51:05.428571 ike V=root:0:toHUB1:321: sending NOTIFY msg
2025-04-26 20:51:05.428927 ike V=root:0:toHUB1:0:321: send informational
2025-04-26 20:51:05.429302 ike 0:toHUB1:0:

enc 000000E40000F0FC1E8C1E95038CC4CA2073673D00080010EBF9

EC6A142F2A480000000000000000001B

002400000000000000000000000000000000
000000000000000000000000000000000000000000010004C0A8C80200030004C0A88202000500040A

090C1D0016000208003030001700020000727400070040225

D83199

FA22570B546617A5C3C9A9A8B84F39
D95B494E3149862719B03DF390395C1776581384EA6235E3D0F91D4358032C3F

40C780BC9BDA7BEE255253DB5000B000102326331000C

000100363034001000010065723D

001100010A2E333200120001006772
6F0B0A0908070605040302010B
2025-04-26 20:51:05.431518 ike 0:toHUB1:0: out 07402623B9F8BA5E83E0433C107C9

BBC2E202508000000120000013029000114E372409306FC8

F404AF56168C3

A7F8EBB4722AC28620B1E60C34A3DE
FA7154E10E252D3FE2C16D1CF39674BB2E0D6AFE1F66FD2D51AA52DC192E65262939912

FCB9A0B366D513CB7114E737A0C64C216ECE44363F9C91DBD1E84

A42EBF5D760316

DAB7B844C19381CA1FCB2772FD3BB
9007A322745A6DAA1CA7CB68E667E044E4184A25F2D0C6A38894D304D0B

0D0E10F808B919448B54878445B61DAE1EC53ED425926B7B8E83DDFA431CBC97

B6165BCA22EB5ED20C5

AEF2261BCA1A2725AAABD3ECF
80B46C3F52F9501262F4CF17339E11BF4FA7DB88F8429787DABECF8530B9E843455773

FE99B1A0D03D440368D6AF82E0306127946EFC55D0317F2A19CE6

EA065371571FB04FB6D

979D5FFFC2DC
2025-04-26 20:51:05.434286 ike V=root:0:toHUB1:0:

sent IKE msg (INFORMATIONAL): 10.9.12.29:500->10.9.11.249:500, len=304, vrf=0,

id=07402623b9f8ba5e/83e0433c107c9bbc:0
0000012, oif=3
2025-04-26 20:51:05.446831 ike V=root:0:

comes 10.9.11.249:500->10.9.12.29:500,ifindex=3,vrf=0,len=80....
2025-04-26 20:51:05.447373 ike V=root:0: IKEv2 exchange=INFORMATIONAL_RESPONSE

id=07402623b9f8ba5e/83e0433c107c9bbc:00000012 len=80
2025-04-26 20:51:05.447969 ike 0: in 07402623B9F8BA5E83E0433C107C9BBC2E20252000000012000000500000003448B03191C13737887F724F239BE8F710

CA79E23481975322C16D3695009E7B1875
A897F3F7EBEBB33558E9BBA2D0D48C
2025-04-26 20:51:05.448857 ike 0:toHUB1:0:

dec 07402623B9F8BA5E83E0433C107C9BBC2E202520000000120000002000000004
2025-04-26 20:51:05.449373 ike V=root:0:toHUB1:0: received informational response
2025-04-26 20:51:05.449768 ike V=root:0:toHUB1:321: received NOTIFY acknowledgement
2025-04-26 20:51:05.450177 ike V=root:0:toHUB1:0:321: processing informational acknowledgement
2025-04-26 20:51:05.518399 ike V=root:0:

comes 10.9.11.249:500->10.9.12.29:500,ifindex=3,vrf=0,len=832....
2025-04-26 20:51:05.518963 ike V=root:0:

IKEv2 exchange=INFORMATIONAL id=07402623b9f8ba5e/83e0433c107c9bbc:0000000f len=832
2025-04-26 20:51:05.519538 ike 0: in 07402623B9F8BA5E83E0433C107C9BBC2E2025000000000F0000034029000324D9F2D729776A4C4629B2C1A48FFECC89D6

BF710204F24F31DA2AA42BC5BC693FBC
F9DF1C56C8723F8DCA089F74475737E591643B9FC7D36FD33F87222D70EFDA60C68

FBEE12ED5BFB4C3AFA3DC8B00E0E26E85D73D5DBB5824B4C5C612EBDE7401

A393EB24933FAA8

AC31E5212264FEA222FAFE04
EDF7F7DC6A7FFE4ABDC8285741A8B644DBD4A26BE8D84EA1773B436C6DBC09BA4C22B3164

FD6121396CAD65DF87054DE3FA95

B2D2BD4F9634D6967E4C89559B26D23B2

EAC160A215

FCC6FD2A0E332EE9727412A
E4C867BED7B17A02DA0BA931C9A63A54AB628BBBB14660C534D0AF0E8AF932EE44E6C53

C1EE34B85502D890C62F6F9453B3DCF2993F8E04C934D63A96013

EB09784A80049CF58683

AD1A0498C25FB68EA53F29F
FB7BB4FD64DAEF1F98699FF3D8D25C7160D04DF997A65B78C420362AEDF264839B7BDFACBEFAC

70EAA329B93619D401E6087B379BE0CBFF

1858048831E841D8C0A0DF42

AEA906239

A7B11FA76250924BDB9035F
46931627941A03F033DA5686E3D0CE7ECFC397EB334100360D74E66CC1826281ACC4BEE97F50

F33E5D1443BAD7D12400CC0FA7B916FA4774E316D45A16B4371CF16

FAC451D81122

CAC8C66ED7DE75ADDC161EFF
474C1A26189ECF87D91C0DA822D38E439F79DA88951C7D5BDB773EF6041CD1DB191E84EA

5841C5F6B3E3BE6E58A2EA5726617D62F8F7E593E9E7BDEF908C8CB

AA92E10BF1F8A671B

4C62DF55EB606C06F183B7A
71861A8F08AA005206E9A41187DDE0645B654FE21ABDF09EEEFC76F4BC808EBC5BA54A

3711263960E43E786C3A07101690AA7091F514CACCF8D77CC832A4AC3

A53D1C875636250808

FD5F66EEA602D2AF7D55A5
E010FF366B583F53AEBDA9F03A1E61F826FBF6B73EA0C0A3C29BBAD49616B3E397

FBEAE186C1CECAE746824CEBD89B8731C2406BF948

CBEBAE63B045B91F4254C331811

AC0D76A95

D5C96660D4F33DA21F47EE9
A91A6D7DB61339ED5F0D38DCA093FB47EED7723346296602FC8019CA88E3F34F5533

F9CE9B8F1AF54F4955E741A0A18F3BD7DF9705C0C493EFED1F39B75D2A

6932D10F48BDF9E4F

6D13B0123967400076B9A965
3697C5BE8803268EE51AD6DFC396C77
2025-04-26 20:51:05.526625 ike 0:toHUB1:0: dec 07402623B9F8BA5E83E0433C107C9BBC2E2025000000000F

0000031029000004000002F00000F0FD1E8C1

E95038CC4CA1F

0D000400010004C0A88202
00030004C0A8C802000500040A090C20000D00040A090C20000F

00020000257000080010EBF9EC6A142F2A48E85B4DC2751064E1001B

00240000000000000000000000000000000000000000000000000000000
0000000000000000000070040225D83199FA22570B546617A5C3C9A9A8B84F

39D95B494E3149862719B03DF390395C1776581384EA6235E3D0F91D4358032C3F40C

780BC9BDA7BEE

255253DB5000B0001027469
61000C0001006D697000100001002E3332001100010A6F6369001300010A392E

33001400010072656D001500DC00010004D2FD6F3E00020004203E033E

000300040000000000040004C

FEE8C400005000400000
000000600047F969800000700047F96980000080004FE

2C31010009000401000000001000040A000000000A00040A

090C20000B0010000000000000000000000000726

F6F74000C0004

AC101002000D00100010
00000000000088E4FFFFFFFFFFFF001100040A

090C200012001000000000000000000000000000000000000E0024746F48554231000000CC4

EADEED3BF20C05C5CDFFF7F

0000130000000000000030C033A4000
F000201F465730013000200002063001500DC00010004A

248643E000200047733FD3D000300040000000000040004E5EE8C400005000400000000000600047F

969800000700047F

96980000080004FE2C310100
090004010000000010000414000000000A00040A

092020000B0010000000000000000000000000726F6F74000C0004AC

101002000D0010000000000000000000000000405B5

CDF001100040A

092020001200100
0000000000000000000000000000000000E0024746F

485542312D32007F003400CC4EADEED3BF20105E5CDFFF7F00000000000000000000000F000201F

400000013000200000000001A

0040414456504E2D5350
4B322D302D4F7665726C6179

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2025-04-26 20:51:05.533548 ike V=root:0:toHUB1:0: received informational request
2025-04-26 20:51:05.533954 ike V=root:0:toHUB1:0: processing notify type SHORTCUT_REPLY
2025-04-26 20:51:05.534409 ike V=root:0:toHUB1: recv shortcut-reply 14610957038111329310 ebf9ec6a142f2a48/e85b4dc2751064e1 10.9.12.32 to 192.168.200.2 0 psk 64 ppk 0 v
er 2 mode 0 ext-mapping 10.9.12.32:0, network-id 10/10
2025-04-26 20:51:05.535400 ike V=root:0:toHUB1:

iif 21 192.168.130.2->192.168.200.2 0 route lookup oif 5 port3 gwy 0.0.0.0
2025-04-26 20:51:05.535985 ike V=root:root:0:toHUB1:

finding rpdb ip: 192.168.130.2, gw: 192.168.200.2,

dip: 192.168.200.2, sip: 192.168.130.2, sport 2048, dport 0, pr
oto 1, oif 22, rpdb_id: 0x7f010001, c->iif: 21, info->iif: 0, igw->if_index: 3, info->vrf:0
2025-04-26 20:51:05.538526 ike V=root:0:toHUB1: rpdb_id: 2130771969
2025-04-26 20:51:05.538885 ike 0:toHUB1:

send vwl oif request (0x5787d74d) for intf toHUB1 site ADVPN-SPK2-0-Overlay
2025-04-26 20:51:05.539511 ike 0:toHUB1:0: enc 0F0E0D0C0B0A0908070605040302010F
2025-04-26 20:51:05.539940 ike 0:toHUB1:0: out 07402623B9F8BA5E83E0433C107C9BBC2E2025280000000F

0000005000000034AF0BA6913E4B2D7BF0474D24C6108DF63CB5BBAD7263CBBCA4EE0D5A
7A25F47C29BCEC7BC2B7823E7F6AEE4DBD2300F0
2025-04-26 20:51:05.540883 ike V=root:0:toHUB1:0: sent IKE msg (INFORMATIONAL_RESPONSE): 10.9.12.29:500->10.9.11.249:500, len=80, vrf=0, id=07402623b9f8ba5e/83e0433c10
7c9bbc:0000000f, oif=3
2025-04-26 20:51:05.541752 ike V=root:0:toHUB1: recv vwl advpn oif response (0x5787d74d)
2025-04-26 20:51:05.542207 ike V=root:0:toHUB1: empty vwl oif response
2025-04-26 20:51:05.542579 ike V=root:0:toHUB1: vwl found no viable shortcut, drop exchange

 

To disable debugs:

 

diagnose debug disable

diagnose debug reset

 

This happened because the spoke1 cannot get the underlay link health status from the destination spoke. This could have happened due to the missing configuration on the destination spoke. In this example, the transport group was not assigned to the ISP link on the destination spoke, which is why link health check negotiations are failing. After assigning the correct transport group in the SD-WAN configuration on the destination spoke, the shortcut formation started working correctly.

 

config system sdwan

config members
    edit <interface id>
        set interface <tunnel interface>
        set zone <zone>
        set transport-group <group id>
    end

   end

end

 

Related articles:
Technical Tip: Configuring BGP overlay for ADVPN 2.0 

Technical Tip: How ADVPN 2.0 is different from ADVPN 1.0 

Technical Tip: SD-WAN ADVPN 2.0 deletion of all shortcuts to a remote spoke when idle 
1085
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.