Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Rajan_kohli
Staff
Staff

Created on ‎01-07-2025 06:39 AM Edited on ‎01-08-2025 08:30 AM By Moderator

Article Id 368410

Troubleshooting Tip: IPsec site-to-site tunnel between FortiGate and Barracuda firewall not getting established due to 'malformed message'

Description This article explains how to fix an IPsec tunnel problem due to a malformed AUTH message between a Barracuda firewall and a FortiGate.
Scope IPsec, FortiGate, Barracuda firewall.
Solution

In the following IPsec site-to-site tunnel setup, FortiGate is the IKE initiator while Barracuda firewall is the responder.


TopologyTopology

 

IPSec tunnel Name: CRR-T2.

IKE version: IKEv2.

Take debugs on the FortiGate firewall using the following commands:

 

di vpn ike log-filter clear

di vpn ike log-filter name <Phase1 name

diag debug app ike -1
diag debug enable

 

Note:

Starting from v7.4.1, the 'di vpn ike log-filter' command has been changed to 'di vpn ike log filter'. 


Useful IKE Error Logs:


ike V=root:0:CRR-T2:34862: sent IKE msg (AUTH): 201.96.51.145:500->69.75.89.129:500, len=240, vrf=0, id=2f42ce8c81ac3354/5ec9d8622a374caa:00000001, oif=8
ike V=root:0: comes 69.75.89.129:500->201.96.51.145:500,ifindex=8,vrf=0,len=80....
ike V=root:0: IKEv2 exchange=INFORMATIONAL id=2f42ce8c81ac3354/5ec9d8622a374caa len=80
ike 0: in 2F42CE8C81AC33545EC9D8622A374CAA2E202500000000000000005000000034

7EB1FB50C80A427A360B04BAAB6C5C

AD125DD4548D047A38FE4ABCB57B7FFCCCA2C660FF89C2373F82E9324A04655
3FF
ike 0:CRR-T2:34862: dec 2F42CE8C81AC33545EC9D8622A374CAA2E202500000000000000002000000004
ike V=root:0:CRR-T2:34862: initiator received AUTH msg
ike V=root:0:CRR-T2:34862: response message_id 0, expected 1
ike V=root:0:CRR-T2:34862: malformed message -------> reason for failure
ike V=root:0:CRR-T2:34862: schedule delete of IKE SA 2f42ce8c81ac3354/5ec9d8622a374caa
ike V=root:0:CRR-T2:34862: scheduled delete of IKE SA 2f42ce8c81ac3354/5ec9d8622a374caa
ike V=root:0:CRR-T2: connection expiring due to phase1 down
ike V=root:0:CRR-T2: going to be deleted

Solution:

 

Change the following settings in the IPsec configuration in Barracuda.

 

  1. Set Yes to 'Restart SA on Close':

 

Rajan_kohli_4-1736095205446.png

 

  1. Disable IKE Reauthentication by unchecking the box:

 

Rajan_kohli_5-1736095205447.png


Refer to the following document for more IPsec tunnel configuration information on the Barracuda firewall:
How to Configure a Site-to-Site IPsec IKEv2 VPN Tunnel in Barracuda
723
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.