Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Oscar_Wee
Staff
Staff

Created on ‎12-22-2024 11:59 PM

Article Id 366033

Troubleshooting Tip: Site-to-Site IPsec VPN Intermittent Connection due to phase 2 mismatch

Description

This article explains how to resolve Site-to-Site IPsec VPN Intermittent Connection due to phase 2 mismatch on each local and remote site respectively.
Scope FortiGate.
Solution

To troubleshoot this, make sure there are enough phase 2 selectors on both local and remote sites. In addition, make sure IKE v2 is used instead of IKE v1.

 

Example of the problem:

 

Site to Site intermittent.jpg

 

In this example:

There is a site-to-site IPsec VPN intermittent connection. There are only two Phase 2 selectors namely: Subnet A to Subnet C, and Subnet B to Subnet D. On Phase 2 debugging, phase 2 mismatch is seen in debug log.

 

Solution:

Add two more phase 2 selectors,  namely Subnet A to Subnet D and Subnet B to Subnet C, and change IPSec from IKE v1 to IKE v2.

 

Result:

On phase 2 debugging, there is no more phase 2 mismatch and there is no more site-to-site IPsec VPN intermittent connection.

 

1159
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.