Troubleshooting Tip: IPSec IKEv2 debugging stuck at 'sent IKE msg (AUTH_RESPONSE)' and 'connection expiring due to phase1 down'

AnthonyH · ‎10-13-2025

Description

This article describes troubleshooting one issue where IPSec IKEv2 fails to connect and in the IKE debugging the following messages 'sent IKE msg (AUTH_RESPONSE)", "negotiation timeout, deleting', 'connection expiring due to phase1 down' are observed.

Scope

FortiGate.

Solution

While running the following IKE debugging and attempting to connect to the IPsec VPN, the debugs will share a similar output.

diagnose debug application ike -1

diagnose debug enable

ike V=root:0: comes X.X.X.X:1012->192.168.2.10:500,ifindex=5,vrf=0,len=369....

ike V=root:0: IKEv2 exchange=SA_INIT id=d37fc4b2dd5c4dce/0000000000000000 len=369

ike 0: in D37FC4B2DD5C4DCE0000000000000000212022080000000000000

1712200005C0200002C010100040300000C0100000C800E0100030000080200000503

0000080300000C00000008040000140000002C020100040300000C0100000C800E010003

00000802000005030000080300000C000000080400001428000068001400006BC

019D75536A65D3B463764900A3E3B456ADC77F7D38AF0EAA0C7378BE2AFB6DDA372833BC760B

47EF368D9F138EB7A132C6199CAF26C09EE2F1CA60DD7EFA021C3790BFFB98E6944652692A6A4F0D8F

4A521C0BF0D9D5FDBDD63CE89120E982B00001492DAC9D5617DC82061C7ABA57993037D2B0000144

C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC

4350476B98A429B91781914CA43E2900001C00004004BF705AA62A8148189E184D23BFB13F8B228234BA

2900001C00004005A77BD3700C6176E47B558880061294013F005514000000090000F05000

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: responder received SA_INIT msg

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: VID forticlient connect license

4C53427B6D465D1B337BB755A37A7FEF

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: VID Fortinet Endpoint Control

B4F01CA951E9DA8D0BAFBBD34AD3044E

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: VID Forticlient EAP Extension

C1DC4350476B98A429B91781914CA43E

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: received notify type NAT_DETECTION_SOURCE_IP

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: received notify type NAT_DETECTION_DESTINATION_IP

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: received notify type VPN_NETWORK_ID

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: NETWORK ID : 0

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: incoming proposal:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: proposal id = 1:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: protocol = IKEv2:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: encapsulation = IKEv2/none

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=ENCR, val=AES_CBC (key_len = 256)

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=DH_GROUP, val=ECP384.

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: proposal id = 2:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: protocol = IKEv2:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: encapsulation = IKEv2/none

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=ENCR, val=AES_CBC (key_len = 256)

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=DH_GROUP, val=ECP384.

ike V=root:0: cache rebuild start

ike V=root:0:IKE-TCP-TEST: cached as dynamic

ike V=root:0: cache rebuild done

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: matched proposal id 1

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: proposal id = 1:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: protocol = IKEv2:

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: encapsulation = IKEv2/none

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=ENCR, val=AES_CBC (key_len = 256)

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=INTEGR, val=AUTH_HMAC_SHA2_256_128

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=PRF, val=PRF_HMAC_SHA2_256

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: type=DH_GROUP, val=ECP384.

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: lifetime=86400

ike V=root:0:d37fc4b2dd5c4dce/0000000000000000:23: SA proposal chosen, matched gateway IKE-TCP-TEST

ike V=root:0:IKE-TCP-TEST:IKE-TCP-TEST: created connection: 0x9b9bbc0 5 192.168.2.10->X.X.X.X:1012.

ike V=root:0:IKE-TCP-TEST:23: processing notify type NAT_DETECTION_SOURCE_IP

ike V=root:0:IKE-TCP-TEST:23: processing NAT-D payload

ike V=root:0:IKE-TCP-TEST:23: NAT detected: PEER

ike V=root:0:IKE-TCP-TEST:23: process NAT-D

ike V=root:0:IKE-TCP-TEST:23: processing notify type NAT_DETECTION_DESTINATION_IP

ike V=root:0:IKE-TCP-TEST:23: processing NAT-D payload

ike V=root:0:IKE-TCP-TEST:23: NAT detected: ME PEER

ike V=root:0:IKE-TCP-TEST:23: process NAT-D

ike V=root:0:IKE-TCP-TEST:23: FEC vendor ID received FEC but IP not set

ike 0:IKE-TCP-TEST:23: FCT EAP 2FA extension vendor ID received

ike V=root:0:IKE-TCP-TEST:23: responder preparing SA_INIT msg

ike V=root:0:IKE-TCP-TEST:23: create NAT-D hash local 192.168.2.10/500 remote X.X.X.X/1012

ike 0:IKE-TCP-TEST:23: out D37FC4B2DD5C4DCEB65207175226428F2120222000000000000001

00220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C0000000804

0000142800006800140000311D723C17A4F932776101D78D47F9E34E0683DEDA4FE9DAB40474DA3611ACF3FE0D1EDAA

899EF6B308AF971FEA25BA8D9E9E6FD10AACAD51FD60F17D03E9238CBB2A9C75A5D63642EEFD75939810066672C224B

6E458D5275B0B8DAE21B7C1C29000014DEDA1475A991B7DDFC5CAEC6DED4D3912900001C00004004D76FEDE1020FFB

929398162DC1EAC5DF8B2C794B0000001C000040055EBCA5F5DA2E1A7818CAC66E910674697CEB04F0

ike V=root:0:IKE-TCP-TEST:23: sent IKE msg (SA_INIT_RESPONSE): 192.168.2.10:500->X.X.X.X:1012,

len=256, vrf=0, id=d37fc4b2dd5c4dce/b65207175226428f, oif=5

ike 0:IKE-TCP-TEST:23: IKE SA d37fc4b2dd5c4dce/b65207175226428f

SK_ei 32:14C7B6A2DA7D35B23AF1823FC46BD2B5B9D977A1761A3318CF483405D5BF91B0

ike 0:IKE-TCP-TEST:23: IKE SA d37fc4b2dd5c4dce/b65207175226428f

SK_er 32:272973E595BBA74F0BAD52C172970E1D1C584F90ACDD2CB1D668008B9CAB7CEF

ike 0:IKE-TCP-TEST:23: IKE SA d37fc4b2dd5c4dce/b65207175226428f

SK_ai 32:17E3E72312EC2FA91AB14391A8048D857C481418F41A69B17BA99848D2F9AAAC

ike 0:IKE-TCP-TEST:23: IKE SA d37fc4b2dd5c4dce/b65207175226428f

SK_ar 32:36EB65A87912C5B00009A8F740EEAEC7A7AB20C1210149D5D348A193850C1207

ike V=root:0: comes X.X.X.X:64917->192.168.2.10:4500,ifindex=5,vrf=0,len=628....

ike V=root:0: IKEv2 exchange=AUTH id=d37fc4b2dd5c4dce/b65207175226428f:00000001 len=624

ike 0: in D37FC4B2DD5C4DCEB65207175226428F2E20230800000001000002702300025491E938DED81D8BED75C0CBA

058940A681728F34964FF9C1528CC95E939CD2015F26FF90E91E83E0605D4A5E5231B2111145FED9A37CAF9057DC2A7AC

7291F8FF75AAAAF7951F988522F6160B5BA0CB7A28B3291EDB42B68CDEC54B006CDD173F5CE1AB5FC970A0D01A9B3BCF9AF

7C2AEBAD1AB48B80652305FD38B09B0E3E25AECA24A3F3C0D249E71AA7AEF8F077D29C273D293C1DB13F2C708F41848347CBA

0BBBF8502842DE2C2AF2B8AE849516CEB170CD7CB48EA79AEA558DC8FA73228E3B506834F6206ADD2A12F01FBE32C3EB9B

098DFE9DC836ABA1089973747ECDEDCD9F1381B3A715DDCE86A073FF78D937B4165041BB176862608B3D185EAD1663ECE33DE

1999CE18AFBCFADFBFED955FB08010BF55290F56F22CDEE8D103A900D024D36D3765EE016D314DAA4230EB5687D9115223

CBB43734D9AD940465FDAE001B60DFA3EFBFABBB6004E2E8A9409483F4486CB2C011D141E27BD2E8337E6ED444999715

AC41626C31CA62D7D4C6C9047D28C7DE3E7740777DB2A91CDEFC99FE253BE45F524E464B2B9AF242377403EC5E81C68

F3C2A16414AFE2C7384A0220DCC596C60708F864081F1B22B1EF0D5F0CE5BFB3EABFF42FB59D7BA327063090C0B8C

505B54465453F783D46CC64326B1FC22F1F5D16382D47E1C05CC1D1322BC3D4625CCA83D44A6B840F226E3A57468266CD

9D4A5C896E1AFE9B753F5333AAD7A7329F7B96920B5F5EBF1550E02C7BEFCD5146FD0745D5618C9CB3FEC5ED4A14B

0262F15DFEC3E73502563592124123400B89F0334B34674FC7F088B87D7D6DFAE707ACA75650C285C37230BBC45EB

ike 0:IKE-TCP-TEST:23: dec D37FC4B2DD5C4DCEB65207175226428F2E202308000000010000024

D230000042900000C010000000A0A0A

0229000008000040002F0001390000F1005645523D310A4643545645523D372E342E332E313739300A

5549443D31364532333134413737344134373034424530333745424531354535333532370A49503D

3139322E3136382E31392E310A4D41433D32632D66302D35642D33642D37612D36353B0A484F53543D4445534B

544F502D414D45463037380A555345523D31364532333134413737344134373034424530333745424531354535333532370

A4F535645523D4D6963726F736F66742057696E646F77732031312050726F66657373696F6E616C2045646974696

F6E2C2036342D62697420286275696C64203236313030290A5245475F5354415455533D300A454D53534E3D464354454

D53383832353030333133330A454D5349443D30303030303030303030303030303030303030303030303030303030303030300

A002100005C010000000007001046435438303033333439333136323134000100000002000000030000000

40000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000007006000000

1900002C0000540200002801030403E8441FEA0300000C0100000C800E0100030000080300000C0000000805000000000000

2802030403E8441FEA0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000

100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF

ike V=root:0:IKE-TCP-TEST:23: responder received AUTH msg

ike V=root:0:IKE-TCP-TEST:23: processing notify type INITIAL_CONTACT

ike V=root:0:IKE-TCP-TEST:23: processing notify type FORTICLIENT_CONNECT

ike V=root:0:IKE-TCP-TEST:23: received FCT data len = 305, data = 'VER=1

FCTVER=7.4.3.1790

UID=16E2314A774A4704BE037EBE15E53527

IP=192.168.19.1

MAC=2c-f0-5d-3d-7a-65;

HOST=DESKTOP-AMEF078

USER=16E2314A774A4704BE037EBE15E53527

OSVER=Microsoft Windows 11 Professional Edition, 64-bit (build 26100)

REG_STATUS=0

EMSSN=FCTEMS8825003133

EMSID=00000000000000000000000000000000

'

ike V=root:0:IKE-TCP-TEST:23: received FCT-UID : 16E2314A774A4704BE037EBE15E53527

ike V=root:0:IKE-TCP-TEST:23: received EMS SN : FCTEMS8825003133

ike V=root:0:IKE-TCP-TEST:23: received EMS tenant ID : 00000000000000000000000000000000

ike V=root:0:IKE-TCP-TEST:23: peer identifier IPV4_ADDR 10.10.10.2

ike V=root:0:IKE-TCP-TEST:23: re-validate gw ID

ike V=root:0:IKE-TCP-TEST:23: gw validation OK

ike V=root:0:IKE-TCP-TEST:23: responder preparing EAP identity request

ike 0:IKE-TCP-TEST:23: enc 2700000C01000000C0A8020A300000280200000067B9126D3B00512825B4628447859

A06E995AF0FB89672DEFEB6E970A3E50B020000000901BF000501020102

ike V=root:0:IKE-TCP-TEST:23: remote port change 1012 -> 64917

ike 0:IKE-TCP-TEST:23: out D37FC4B2DD5C4DCEB65207175226428F2E202320000000010000008024000064

FF6BE9764910220BFE2FC3B870ADC6B5FD3BDE7DCC163FDBD066502961A36A8614DDCBBB0B015ECA12F2E8501B1

ACFFC1C376439D1F95728E4F2B9EC13CEAC4149768DDC01ABD9BE67CD412DFB472AC8831A83350DD4BFA47E0B5C35052DABD9

ike V=root:0:IKE-TCP-TEST:23: sent IKE msg (AUTH_RESPONSE): 192.168.2.10:4500->X.X.X.X:64917, len=128, vrf=0, id=d37fc4b2dd5c4dce/b65207175226428f:00000001, oif=5

ike V=root:0:IKE-TCP-TEST:23: negotiation timeout, deleting

ike V=root:0:IKE-TCP-TEST: connection expiring due to phase1 down

ike V=root:0:IKE-TCP-TEST: going to be deleted

In this scenario, because the FortiGate is the responder (not the initiator), the pre-shared key or peer id-local id was a mismatch, causing no auth response from the initiator peer, and the connection attempt then times out.

Solution:

If using a pre-shared key for IKEv2, ensure that FortiGate and FortiClient are using the same password. If peerID is defined on FortiGate and the FortiClient is acting as a dial-up client, add the local id <peer id> in Phase-1 settings in FortiClient.

Troubleshooting Tip: IPSec IKEv2 debugging stuck at 'sent IKE msg (AUTH_RESPONSE)' and 'connection expiring due to phase1 down'

You are leaving our website