Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
eowusu
Staff
Staff

Created on ‎06-21-2022 01:24 PM Edited on ‎06-22-2022 06:55 AM By Anonymous

Article Id 215284

Technical Tip: IPSEC VPN Tunnel down with FGSP enabled

Description

This article discusses when FortiGate Session Life Support Protocol (FGSP) is enabled on FortiGate to sync sessions/IPsec tunnels up with another FortiGate, the FortiGate does not support being the initiator. It can only respond to IPsec negotiations.
Scope FortiGate
Solution
If the FortiGate is a responder, IKE/IPsec FGSP is incompatible with the concept of being an initiator.
 
Sample output:
 

# diag vpn ike gateway list name 'UAT_T1'
vd: root/0
name: UAT_T1
version: 1
interface: wan1 7
addr: 41.79.124.142:4500 -> 34.252.112.166:4500
tun_id: 34.252.112.166/::34.252.112.166
remote_location: 0.0.0.0
virtual-interface-addr: 169.254.133.14 -> 0.0.0.0
created: 1238s ago
nat: peer
IKE SA: created 1/1 established 1/1 time 250/250/250 ms
IPsec SA: created 1/1 established 1/1 time 90/90/90 ms
id/spi: 29 468e082094395cc7/7d9fbd93ba394121
direction: initiator
status: established 111-111s ago = 250ms
proposal: aes128-sha1
key: 646eb631a1753d5d-d9b27a3b7f98c9ff
lifetime/rekey: 28800/28388
DPD sent/recv: 00000000/4599a608

 

 

IKE Debug Output:

 

iiB_FW_PRA_SEDE_ACTIVE # ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0
ike 0:UAT_T1:UAT_T1: using existing connection
ike 0:UAT_T1: connect event ignored by L3 HA secondary
ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0
ike 0:UAT_T1:UAT_T1: using existing connection
ike 0:UAT_T1: connect event ignored by L3 HA secondary
ike shrank heap by 159744 bytes
ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0
ike 0:UAT_T1:UAT_T1: using existing connection
ike 0:UAT_T1: connect event ignored by L3 HA secondary
ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0
ike 0:UAT_T1:UAT_T1: using existing connection

 

This issue can be fixed by the configuration shown below:

 

# config system cluster-sync

edit 1

set ipsec-tunnel-sync disable

end
1681
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.