Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kaurm
Staff
Staff

Created on ‎01-03-2023 10:45 PM Edited on ‎01-05-2023 07:34 AM By Community Manager

Article Id 241849

Technical Tip: IPsec site to site not coming up after physical device being replaced (MAC Address issue)

Description This article describes the situation when the FortiGate was replaced after restoring the configuration and the IPsec site-to-site tunnel was still not up.
Scope

FortiGate.

When the devices are replaced, and configuration is restored after factory reset or cables plugged back into an already running modem.
Solution

site A(A)------IPsec tunnel -----site B(B)

 

1) Running the debugs shows the following output:

 

# di de console timestamp en

# di de app ike -1

# di de en

 

2022-09-22 13:05:12.378979 ike 0:A:411492: sent IKE msg (P1_RETRANSMIT): 192.168.110.12:500->172.16.111.12:500 len=192, id=9432dc4305ddcb99/6f78bfef400060ec
2022-09-22 13:05:12.390287 ike 0: comes 172.16.111.12:500->192.168.110.12:500,ifindex=10....
initially was getting the error request is in the queue and now getting the error of ike shrank , the sniffer on the remote shows
22-09-22 13:03:08.312637 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 192
2022-09-22 13:03:18.186185 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 572
2022-09-22 13:03:18.301339 port2 in 172.16.111.12.500 -> 192.168.110.12.500: udp 572
2022-09-22 13:03:18.301391 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 192
2022-09-22 13:03:21.188081 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 572
local site shows
1D5478871D84E4CE000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
2022-09-22 13:10:53.519475 ike 0:B_1:2053: sent IKE msg (P1_RETRANSMIT): 172.16.111.12:500->192.168.110.12:500, len=572, id=1d5478871d84e4ce/0000000000000000
2022-09-22 13:11:02.499245 ike 0:B_1:2053: negotiation timeout, deleting
2022-09-22 13:11:02.499447 ike 0:B_1: connection expiring due to phase1 down
2022-09-22 13:11:02.499491 ike 0:B_1: deleting
2022-09-22 13:11:02.499529 ike 0:B_1: deleted
2022-09-22 13:11:02.499560 ike 0:B_1: schedule auto-negotiate
2022-09-22 13:11:03.509281 ike 0:B_1:2060: initiator: main mode is sending 1st message...
2022-09-22 13:11:03.509419 ike 0:B_1:2060: cookie 20bcfa1cd37b39a1/0000000000000000

Line 132: 2022-09-22 12:34:40.068828 ike 0:B:1597: negotiation timeout, deleting

 

From the ike daemon’s perspective there was no response from the wan1 of site A.

 

The sniffer on both sides shows the port 2 and wan1 were being used on site A and site B respectively:

 

B_400E (root) # di sniffer packet any 'host 172.16.111.12 and port 500' 4 0 l
interfaces=[any]
filters=[host 172.16.111.12 and port 500]
2022-09-22 12:36:01.297666 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 192
2022-09-22 12:36:01.307319 port2 in 172.16.111.12.500 -> 192.168.110.12.500: udp 572
2022-09-22 12:36:01.307340 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 192
2022-09-22 12:36:10.347270 port2 in 172.16.111.12.500 -> 192.168.110.12.500: udp 572
2022-09-22 12:36:10.347326 port2 out 192.168.110.12.500 -> 172.16.111.12.500: udp 192

 

 

A_60E # di sniffer packet any 'host 192.168.110.12 and port 500' 4 0 l
interfaces=[any]
filters=[host 192.168.110.12 and port 500]
2022-09-22 13:24:29.548993 wan1 in 192.168.110.12.500 -> 172.16.111.12.500: udp 572
2022-09-22 13:24:30.054244 wan1 out 172.16.111.12.500 -> 192.168.110.12.500: udp 572
2022-09-22 13:24:30.139612 wan1 in 192.168.110.12.500 -> 172.16.111.12.500: udp 192
2022-09-22 13:24:32.548748 wan1 in 192.168.110.12.500 -> 172.16.111.12.500: udp 572

 

The MAC address of Site A was E8:1C:BA:03:B7:72:

 

kaurm_0-1672932565269.jpeg

 

But the PCAP showed the MAC being used was E8:1C:Ba:03:B6:Aa:

 

kaurm_1-1672932565272.jpeg

 

Thus the endpoint was forced to drop because of which the ike response packet was never sent to the Ike daemon and the tunnel was never up and working.

As the device was replaced and cables were plugged into an already running modem the old arp-entry was stuck in the arp-cache due to which the tunnel was not working.

So, after rebooting the modem the tunnels were up and traffic was passing.
592
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.