Topology:

When the traffic is initiated from Spoke1-1 to Spoke2-1 via Hub1 and Hub2, Hub1 will initiate the ADVPN shortcut negotiations with Spoke1-1 by sending SHORTCUT-OFFER. In response, Spoke1-1 sends a SHORTCUT-QUERY to Hub1, which forwards the query to Hub2.  

If the IKE version of the received SHORTCUT-QUERY and the Hub-to-Hub tunnel are different, Hub2 will ignore the SHORTCUT-QUERY and display 'shortcut-query ike version mismatch, ignoring' in IKE debugs.

Hub2 # diagnose debug application ike –1 
Hub2 # diagnose vpn ike log filter rem-addr4 <remote gateway IP address>

Hub2 # diagnose debug enable 

2025-07-21 16:46:34.054722 ike V=root:0:Hub_to_Hub_ISP1: recv shortcut-query 36592337872xxx 94f09fcxxx/0000000000000000 x.1.x.x 172.16.1.2:2048->172.26.0.2 

:0 0 psk 64 ppk 0 ttl 31 nat 0 ver 2 mode 0 network-id 11 

2025-07-21 16:46:34.055093 ike V=root:0:Hub_to_Hub_ISP1: iif 32 172.16.1.2->172.26.0.2 0 route lookup oif 6 port4 gwy 0.0.0.0 

2025-07-21 16:46:34.055330 ike V=root:0:Hub_to_Hub_ISP1: shortcut-query ike version mismatch, ignoring 

In this example, the Hub-to-Spoke tunnels are configured with IKEv2, whereas the Hub-to-Hub tunnel is configured with IKEv1. Because of the mismatch, Hub2 ignores the SHORTCUT-QUERY message from Spoke1-1, and the Spoke1-1 to Spoke2-1 shortcut cannot be established. 

To resolve this, ensure the same IKE version is configured on both Hub-to-Spoke and Hub-to-Hub tunnels.

Note: in FortiOS v7.2 and earlier, filtering IKE debug messages uses 'diagnose vpn ike log-filter' rather than 'log filter' and has different arguments. See the article Troubleshooting Tip: IPsec Tunnel (debugging IKE) for more information.