Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Vichu_94
Staff
Staff

Created on ‎05-15-2022 10:14 PM Edited on ‎11-05-2025 08:57 AM By Community Manager

Article Id 212099

Technical Tip: IPsec site to site IKEv2 VPN between FortiGate and third-party vendor is down with error 'INVALID_SYNTAX'

Description


This article describes how to troubleshoot the issue when the IPsec IKEv2 tunnel between FortiGate and any third-party goes down and shows the error 'INVALID_SYNTAX'.

 

Scope

 

FortiGate.

 

Solution

 

Considering FortiGate to be the initiator and any third-party vendor to be the responder in the setup.

  

IKEv2 has two phases, IKE_SA_INIT Exchange and IKE_AUTH Exchange.

During the IKE_AUTH Exchange second message, if the notify message (Payload: Notify (41) - INVALID_SYNTAX.), it indicates that it is a Phase 2 selector mismatch.

 

This can be verified with the IKE debugs as well. 

 

diagnose debug application ike -1

diagnose debug console timestamp enable

diagnose debug enable

 

When running the IKE debugs it shows this error as shown below.

 

kb 12.PNG

 

When a packet capture is run, it shows the result as shown in the packet capture below:

 

pcap.png

 

To fix the issue, match the phase 2 selectors on both units. 

 

Note: It is recommended that a VPN with third party devices has individual Phase 2 selectors for different subnets instead of using Address group.

2132
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.