Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syao
Staff
Staff

Created on ‎01-09-2025 11:09 PM Edited on ‎03-23-2025 04:43 PM By Moderator

Article Id 369027

Technical Tip: Adjusting IPsec Negotiation timeout

Description This article explains how to adjust the negotiation timeout for the IPsec tunnel on a FortiGate device.
Scope FortiOS 6.2 and above
Solution

By default, the FortiGate IPsec negotiation has a 30-second timeout. This means the FortiGate will wait for a response from the peer for no longer than 30 seconds.


In the output below, it can be seen that the FortiGate sent ident_i1send, but did not receive a response from the peer within the 30-second window, resulting in a connection timeout.

diagnose debug reset

diagnose debug app ike -1

diagnose debug enable

diagnose debug console timestamp enable

 

To stop debugging:

 

diagnose debug disable

diagnose debug reset

 

2025-01-09 12:34:28.120523 ike V=root:0:TEST: auto-negotiate connection
2025-01-09 12:34:28.122556 ike V=root:0:TEST:TEST: created connection: 0xff4a6b0 3 10.47.1.77->10.47.3.146:500.
2025-01-09 12:34:28.125303 ike V=root:0:TEST:16: initiator: main mode is sending 1st message...
2025-01-09 12:34:28.127912 ike V=root:0:TEST:16: cookie cf5294e1886d4c3a/0000000000000000
2025-01-09 12:34:28.130501 ike 0:TEST:16: out CF5294E1886D4C3A000000000000000001

100200000000000000023

C0D000154000000010000000100000148010100080300002801010000800B0001000C000400015180

80010007800E00808003

0001800200048004000E0300002802010000800B0001000C00040001518080010007800E008080030

00180020004800400050

300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E03

00002804010000800B00

01000C00040001518080010007800E01008003000180020004800400050300002805010000800B000

1000C000400015180800

10007800E008080030001800200028004000E0300002806010000800B0001000C0004000151808001

0007800E008080030001

80020002800400050300002807010000800B0001000C00040001518080010007800E0100800300018

00200028004000E00000

02808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000

144A131C81070358455C

5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CF

DB2FC68B6A4480D00001

490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D000014

4485152D18B6BBCD0BE8

A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7D

E7F00D6C2D30D0000184

048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
2025-01-09 12:34:28.155479 ike V=root:0:TEST:16: sent IKE msg (ident_i1send): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000
2025-01-09 12:34:31.127102 ike 0:TEST:16: out CF5294E1886D4C3A0000000000000000011

00200000000000000023

C0D0001540000000100000001000001480101000803000

02801010000800B0001000C00040001518080010007800E008080030001800200048004000E030000

2802010000800B000100

0C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000

C0004000151808001000

7800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007

800E0100800300018002

0004800400050300002805010000800B0001000C00040001518080010007800E00808003000180020

0028004000E030000280

6010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807

010000800B0001000C00

040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C000

40001518080010007800

E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D94

19A65310CA6F2C179D92

15529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5E

C427B1F0D00001416F6C

A16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD7

1368A1F1C96B8696FC77

5701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D

6C2D3C00000000000001

48299031757A36082C6A621DE00000000
2025-01-09 12:34:31.145221 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000
2025-01-09 12:34:37.125672 ike 0:TEST:16: out CF5294E1886D4C3A00000000000000000110

0200000000000000023C

0D00015400000001000000010000014801010008030000

2801010000800B0001000C00040001518080010007800E008080030001800200048004000E03000028

02010000800B0001000C

00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00

04000151808001000780

0E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E

01008003000180020004

800400050300002805010000800B0001000C00040001518080010007800E0080800300018002000280

04000E03000028060100

00800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000

800B0001000C00040001

518080010007800E010080030001800200028004000E0000002808010000800B0001000C0004000151

8080010007800E010080

03000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310

CA6F2C179D9215529D56

0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D

00001416F6CA16E4A406

6D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C9

6B8696FC775701000D00

00144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C00000

00000000148299031757

A36082C6A621DE00000000
2025-01-09 12:34:37.151208 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000
2025-01-09 12:34:49.118769 ike 0:TEST:16: out CF5294E1886D4C3A00000000000000000110

0200000000000000023C0

D00015400000001000000010000014801010008030000

2801010000800B0001000C00040001518080010007800E008080030001800200048004000E030000280

2010000800B0001000C0

0040001518080010007800E00808003000180020004800400050300002803010000800B0001000C0004

0001518080010007800E

010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E010

08003000180020004800

400050300002805010000800B0001000C00040001518080010007800E00808003000180020002800400

0E030000280601000080

0B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0

001000C0004000151808

0010007800E010080030001800200028004000E0000002808010000800B0001000C0004000151808001

0007800E010080030001

80020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C1

79D9215529D560D00001

4CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416

F6CA16E4A4066D83821A

0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC7

75701000D0000144048B

7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014

8299031757A36082C6A6

21DE00000000
2025-01-09 12:34:49.146385 ike V=root:0:TEST:16: sent IKE msg (P1_RETRANSMIT): 10.47.1.77:500->10.47.3.146:500, len=572, vrf=0, id=cf5294e1886d4c3a/0000000000000000
2025-01-09 12:34:58.122471 ike V=root:0:TEST:16: negotiation timeout, deleting
2025-01-09 12:34:58.123722 ike V=root:0:TEST: connection expiring due to phase1 down
2025-01-09 12:34:58.124912 ike V=root:0:TEST: going to be deleted

 

This negotiation timeout timer can be adjusted only through the CLI:

 

config vpn ipsec phase1-interface

    edit x

        set negotiate-timeout Enter an integer value from <1> to <300> (default = <30>).

end
953
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.