|
In IKE debug whenever the link goes down, the output similar to the below IKE debug will be:
ike 0:VPN-TEST:1441926: notify msg received: PAYLOAD-MALFORMED <<<<<<
ike 0:VPN-TEST: link fail 3 100.100.100.100->200.200.200.200:4500 dpd=2
ike 0:VPN-TEST: link down 3 100.100.100.100->200.200.200.200:4500
ike 0:VPN-TEST: deleting
ike 0:VPN-TEST: flushing
ike 0:VPN-TEST: deleting IPsec SA with SPI c8cec246
ike 0:VPN-TEST:VPN-TEST: deleted IPsec SA with SPI c8cec246, SA count: 0
Notice the issue is around phase2 IPsec SA.
Check the VPN phase2’s configuration on FortiGate, and see if PFS (perfect forward secrecy) is enabled.
If it is, turn it off.
It is also possible to receive this error if there is a mismatch in phase1 parameter, however in that case the tunnel will not come up, unlike this case where it’s up but unstable.
Note:
Below is how to run IKE debug on FortiGate.
diag vpn ike log filter clear
diag vpn ike log-filter dst-addr4 x.x.x.x <----- IP address of Sophos Firewall.
diag debug app ike -1
diagnose debug enable
Note:
Starting from v7.4.1, the filter command has changed to:
diagnose debug ike log filter rem-addr4
|
