Description
This article will show a tip to troubleshoot IPsec site-to-site between FortiGate and Cisco ASA with IKEv2: 'AUTHENTICATION_FAILED'.
Phase1 is still down.
Scope
FortiGate.
Solution
ike 0:IPsec_peer:1557: sent IKE msg (AUTH): x.x.x.x:500->x.x.x.x:500, len=436, vrf=0, id=aa3865e50b60ccf4/e4e2e50bf9e885f0:00000001
ike 0: comes x.x.x.x:500->x.x.x.x:500,ifindex=5,vrf=0....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=aa3865e50b60ccf4/e4e2e50bf9e885f0:00000001 len=68
ike 0: in AA3865E50B60CCF4E4E2E50BF9E885F02E202320000000010000004429000028C35AB98E9EB0A4AA9567A24E8AD0E8950119DE0F926A2BF99D5CA12D40ECB93EEDD5E498
ike 0:IPsec_peer:1557: dec AA3865E50B60CCF4E4E2E50BF9E885F02E2023200000000100000028290000040000000801000018
ike 0:IPsec_peer:1557: initiator received AUTH msg
ike 0:IPsec_peer:1557: received notify type AUTHENTICATION_FAILED
ike 0:IPsec_peer:1557: schedule delete of IKE SA aa3865e50b60ccf4/e4e2e50bf9e885f0
ike 0:IPsec_peer:1557: scheduled delete of IKE SA aa3865e50b60ccf4/e4e2e50bf9e885f0
ike 0:IPsec_peer: connection expiring due to phase1 down
Above is a debug application IKE, where IKEv2 with PSK (pre-shared key) is being used.
Some Cisco ASA old models cannot accept PSK with special characters such as '% #'. In order to isolate this possibility, try to use simple characters for PSK.
Related document:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-sends-local-id-in-FQDN-typ...
