Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Kush_Patel
Staff
Staff

Created on ‎08-08-2024 01:50 PM

Article Id 331686

Technical Tip: No shortcut tunnel creation on spoke FortiGate device

Description This article describes how to troubleshoot on the FortiGate if the shortcut tunnel is not created on one spoke but created on another spoke. 
Scope FortiGate 7.x.x.
Solution

Assuming ADVPN with BGP is implemented using the following documents:

 

Technical Tip: ADVPN with BGP as the routing protocol

ADVPN with BGP as the routing protocol

 

After the successful implementation of the configuration, shortcut tunnels will be up on one spoke but not on the other spoke. To find the cause of the issue, take IKE debugs on a spoke FortiGate device using the following CLI commands:

 

diagnose debug disable

diagnose debug reset

diagnose debug application ike -1

Debug messages will be on for 30 minutes.

diagnose debug console timestamp enable

diagnose debug enable

 

A similar error might be observed as follows on the output generated:

 

2024-08-08 10:27:27.413830 ike 0:advpn-spoke55-2: adding new dynamic tunnel for x.x.x.x:500

2024-08-08 10:27:27.413849 ike 0:advpn-spoke55-2: could not create dialup name advpn-spoke55-2_0, too long

2024-08-08 10:27:27.413877 ike 0:advpn-spoke55-2:956814: schedule delete of IKE SA 717cf449d4e288af/a87ca51e250c60dc

2024-08-08 10:27:27.413909 ike 0:advpn-spoke55-2:956814: scheduled delete of IKE SA 717cf449d4e288af/a87ca51e250c60dc

2024-08-08 10:27:27.413982 ike 0:advpn-spoke55-2: connection expiring due to phase1 down

2024-08-08 10:27:27.414001 ike 0:advpn-spoke55-2: deleting

2024-08-08 10:27:27.414023 ike 0:advpn-spoke55-2: deleted

 

There is a limitation in the maximum number of characters available when configuring the Phase 1 Interface name parameters for an IPsec VPN tunnel on the FortiGate. The IPsec VPN interface name is limited to 15 characters.

 

In this example, the tunnel name was ‘advpn-spoke55-2’ (15 characters) on spoke. But when a shortcut tunnel is created, it renamed the child tunnel ‘advpn-spoke55-2_0’ (16 characters) and that is not permitted hence the shortcut tunnels will never be created.

 

For more info, refer to Technical Tip: IPsec VPN phase1 interface name characters limitation best practice about the limitation of 15 characters on the VPN tunnel name.

 

To resolve the issue, the tunnel name can be renamed, if possible, to something shorter using the following article:

 

Technical Tip: Rename an IPsec tunnel

 

If not, then tunnels need to be created again. Copying config from CLI would be a good way to create the tunnels. Make sure not to use the same remote gateway for two tunnels, it will throw an error.
276
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.