Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff & Editor
Staff & Editor

Created on ‎02-03-2023 01:21 AM Edited on ‎11-28-2025 02:07 AM By Community Manager

Article Id 244740

Troubleshooting Tip: IPsec error 22: Invalid argument

Description This article describes how to troubleshoot IPsec error 22: Invalid argument.
Scope FortiGate.
Solution
  1. In this example, the IPsec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:

FG-A:

[IPSec_local].

IPSec_local_subnet_1: 10.251.0.0/20.

IPSec_local_subnet_2: 10.251.0.0/24.

[IPSec_remote].

IPSec_remote_subnet_1: 10.120.0.0/20.

 

FG-B:

[IPSec_local].

IPSec_local_subnet_1: 10.120.0.0/20.

[IPSec_remote].

IPSec_remote_subnet_1: 10.251.0.0/20.

IPSec_remote_subnet_2: 10.251.0.0/24.

 

  1. IPsec phase2 is not coming up with the respective configuration if the IPsec tunnel is brought up from FG-B.

    Furthermore, inspection is performed by examining the IPsec debug logs with the following command:

     

diagnose vpn ike log-filter dst-addr4 <remote_IP>

diagnose debug application ike -1

diagnose debug enable

 

Note:

Starting from FortiOS v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

To stop the debugging, run the following commands:

 

diagnose debug disable

diagnose debug reset

 

  1. From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:
                                                 

kcheng_0-1675415361358.png

 

 

It was also observed from FG-A that the SA_DONE operation failed with error 2: No such file or directory:

 

kcheng_1-1675415361360.png

 

  1. The tunnel can be established should the FG-A become the initiator:

FG-A:

 

kcheng_2-1675415361363.png

 

FG-B:

 

kcheng_3-1675415361367.png

 

  1. This happens due to the overlapping IP address subnet configured on FG-A.

Removing 10.251.0.0/24 from the address group on both FortiGates would prevent the IPsec tunnel issue regardless of whether FG-A or FG-B becomes the initiator.

 

Note: Additionally, the command 'diagnose vpn tunnel list name <name>' can be used to quickly identify overlapping subnets within the phase-2 settings. This output provides a detailed breakdown of all source and destination ranges associated with the tunnel.

 

Example output:

 

proxyid=IPSec-Tunnel proto=0 sa=0 auto-negotiate
src: 0:192.168.180.4-192.168.180.4:0
0:192.168.180.5-192.168.180.5:0
0:172.29.140.0-172.29.140.255:0

dst: 0:172.25.0.0-172.25.255.255:0
0:172.25.15.11-172.25.15.11:0
0:172.25.30.9-172.25.30.9:0
0:10.243.6.100-10.243.6.100:0

 

It is visible that the '172.25.0.0/16' subnet overlaps with '172.25.x.x' addresses.
Labels:
4525
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.