FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article discusses when FortiGate Session Life Support Protocol (FGSP) is enabled on FortiGate to sync sessions/IPsec tunnels up with another FortiGate, the FortiGate does not support being the initiator. It can only respond to IPsec negotiations.
Scope
FortiGate
Solution
If the FortiGate is a responder, IKE/IPsec FGSP is incompatible with the concept of being an initiator.
Sample output:
# diag vpn ike gateway list name 'UAT_T1' vd: root/0 name: UAT_T1 version: 1 interface: wan1 7 addr: 41.79.124.142:4500 -> 34.252.112.166:4500 tun_id: 34.252.112.166/::34.252.112.166 remote_location: 0.0.0.0 virtual-interface-addr: 169.254.133.14 -> 0.0.0.0 created: 1238s ago nat: peer IKE SA: created 1/1 established 1/1 time 250/250/250 ms IPsec SA: created 1/1 established 1/1 time 90/90/90 ms id/spi: 29 468e082094395cc7/7d9fbd93ba394121 direction: initiator status: established 111-111s ago = 250ms proposal: aes128-sha1 key: 646eb631a1753d5d-d9b27a3b7f98c9ff lifetime/rekey: 28800/28388 DPD sent/recv: 00000000/4599a608
IKE Debug Output:
iiB_FW_PRA_SEDE_ACTIVE # ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0 ike 0:UAT_T1:UAT_T1: using existing connection ike 0:UAT_T1: connect event ignored by L3 HA secondary ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0 ike 0:UAT_T1:UAT_T1: using existing connection ike 0:UAT_T1: connect event ignored by L3 HA secondary ike shrank heap by 159744 bytes ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0 ike 0:UAT_T1:UAT_T1: using existing connection ike 0:UAT_T1: connect event ignored by L3 HA secondary ike 0:UAT_T1:UAT_T1: IPsec SA connect 7 41.79.124.142->34.252.112.166:0 ike 0:UAT_T1:UAT_T1: using existing connection
This issue can be fixed by the configuration shown below:
