Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rmueller
New Contributor

Created on ‎01-24-2016 12:28 PM

IPSec Phase1 never completes

Hi,

 

We switched ISP setup (twtelecom - Level3 converged internet/phone) and our IPSec VPN worked for about 12 hours and now no longer works at all.  The VPN initially (after ISP switch over) did not come up, we deleted/re-added and rebooted our 100D and 60D; the tunnel came up for about 12 hours.  After the 12 hours (key timeouts we assume), the tunnel no longer comes up; even after deleting/re-adding/rebooting.

 

Diag deb app ike -1 shows that the Phase1 negotiation is accepted, but the final interchanges are timing out (in red in the debug log).

 

We tried different encryption schemes, and different Diffie-Hellman groups (14, 5) to see if it made any difference - nothing changed.

 

Any suggestions on where to look or configurations to try next would be helpful.

 

We checked both sides, Phase1's are identical.

We tried to set fragmentation enable  The only reason to set fragmentation enable is that we were told that the Level3 interface has an MTU of 1300 not the normal 1500.  With or without attempting to set fragmentation enable the results are exactly the same.  The command we used

 

 

 

on the 100d

config vpn ipsec phase1-interface

edit "M2FS2S"

set fragmentation enable

next

end

 

on the 60d

config vpn ipsec phase1-interface

edit "F2MS2S"

set fragmentation enable

next

end

 

The configs are as follows

 

config vpn ipsec phase1-interface

    edit "M2FS2S"

        set type static

        set interface "VLAN 1000"

        set ip-version 4

        set ike-version 1

        set local-gw 0.0.0.0

        set nattraversal enable

        set keylife 86400

        set authmethod psk

        set mode aggressive

        set peertype any

        set mode-cfg disable

        set proposal aes128-sha1

        set localid "admin"

        set localid-type auto

        set negotiate-timeout 30

        set fragmentation enable

        set dpd disable

        set forticlient-enforcement disable

        set npu-offload enable

        set dhgrp 14

        set wizard-type custom

        set xauthtype disable

        set mesh-selector-type disable

        set remote-gw SANITIZED

        set monitor ''

        set add-gw-route disable

        set psksecret ENC SANITIZED

        set keepalive 50

        set auto-negotiate enable

    next

end

 

config vpn ipsec phase1-interface

    edit "FL2MKS2S"

        set type static

        set interface "wan1"

        set ip-version 4

        set ike-version 1

        set local-gw 0.0.0.0

        set nattraversal enable

        set keylife 86400

        set authmethod psk

        set mode aggressive

        set peertype any

        set mode-cfg disable

        set proposal aes128-sha1

        set localid "admin"

        set localid-type auto

        set negotiate-timeout 30

        set fragmentation enable

        set dpd disable

        set forticlient-enforcement disable

        set npu-offload enable

        set dhgrp 14

        set wizard-type custom

        set xauthtype disable

        set mesh-selector-type disable

        set remote-gw SANITIZED

        set monitor ''

        set add-gw-route disable

        set psksecret ENC SANITIZED

        set keepalive 50

        set auto-negotiate enable

    next

end

 

The diag debug app ike -1 logs...

 

ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585

ike 0: in F9ADD5F4DAB4647B00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

ike 0:f9add5f4dab4647a/0000000000000000:334: responder: aggressive mode get 1st message...

ike 0:f9add5f4dab4647a/0000000000000000:334: VID RFC 3947 4A131C81070358455C5728F20E95452F

ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56

ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448

ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F

ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862

ike 0:f9add5f4dab4647a/0000000000000000:334: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC

ike 0:f9add5f4dab4647a/0000000000000000:334: VID DPD AFCAD71368A1F1C96B8696FC77570100

ike 0:f9add5f4dab4647a/0000000000000000:334: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3

ike 0:f9add5f4dab4647a/0000000000000000:334: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:f9add5f4dab4647a/0000000000000000:334: VID FORTIGATE 8299031757A36082C6A621DE000502BD

ike 0:f9add5f4dab4647a/0000000000000000:334: negotiation result

ike 0:f9add5f4dab4647a/0000000000000000:334: proposal id = 1:

ike 0:f9add5f4dab4647a/0000000000000000:334:   protocol id = ISAKMP:

ike 0:f9add5f4dab4647a/0000000000000000:334:      trans_id = KEY_IKE.

ike 0:f9add5f4dab4647a/0000000000000000:334:      encapsulation = IKE/none

ike 0:f9add5f4dab4647a/0000000000000000:334:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.

ike 0:f9add5f4dab4647a/0000000000000000:334:         type=OAKLEY_HASH_ALG, val=SHA.

ike 0:f9add5f4dab4647a/0000000000000000:334:         type=AUTH_METHOD, val=PRESHARED_KEY.

ike 0:f9add5f4dab4647a/0000000000000000:334:         type=OAKLEY_GROUP, val=MODP2048.

ike 0:f9add5f4dab4647a/0000000000000000:334: ISAKMP SA lifetime=86400

ike 0:f9add5f4dab4647a/0000000000000000:334: SA proposal chosen, matched gateway M2FS2S

ike 0: found M2FS2S SANITIZED 42 -> SANITIZED:500

ike 0:M2FS2S:334: received peer identifier FQDN 'admin'

ike 0:M2FS2S:334: peer is FortiGate/FortiOS (v5 b701)

ike 0:M2FS2S:334: selected NAT-T version: RFC 3947

ike 0:M2FS2S:334: cookie f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:334: ISAKMP SA f9add5f4dab4647a/810078ea0d7e1c3f key 16:39662E25388723DE7C1628C30F4B7FA4

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:M2FS2S:334: sent IKE msg (agg_r1send): SANITIZED:500->SANITIZED:500, len=557, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:500 negotiating

ike 0:M2FS2S:334:M2FS2S:164: ISAKMP SA still negotiating, queuing quick-mode request

diag deb disike 0:M2FS2S:333: out 5317B64AFFB2931200000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104AC7B513A51C14B3A612C42E6DC83989D86DA4E0E73F8DE03752699CEC059C70A32D90CCF57029A7032E9077DBFE55798EA6CE02CC2363922064EE621397D770E9288FE1F9ED8569CD8AF8607B1C1100CC71EAD921322DC34E28DF43BD76C2FF9A0A8073832B15132804CD1B403F43F142110859B3AE1E9F49E6CCE57BC37FC3116BC5DB30E27B1ECE57EDB62241FDA32C4636514126D836A48CE210246D82484F6DD19044BB5D78FC613954C51DDEC916CFAE22E5F47488756158E3750CB1521BB43A4B8DB1DA6659FA5BA6D3601C5EC01660419685ECE7A9ED627DDEDAE246366473E9C81C8AD4FAD9C9C8D2FAB5DBD76A7A296BB761859E242E5F10F1087840500001485D2B06DBD1B351F59061C44EBE066410D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

ike 0:M2FS2S:333: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=585, id=5317b64affb29312/0000000000000000

ike 0:M2FS2S:334: fragment on 544 byte boundary

ike 0:M2FS2S:334: send fragment len 544 id 1 index 1 last 0

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400010100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621

ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:334: send fragment len 85 id 1 index 2 last 1

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900010201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0: comes SANITIZED:500->SANITIZED:500,ifindex=42....

ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585

ike 0: in F9ADD5F4DAB4647A00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

ike 0:M2FS2S:334: retransmission, re-send last message

ike 0:M2FS2S:334: fragment on 544 byte boundary

ike 0:M2FS2S:334: send fragment len 544 id 2 index 1 last 0

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400020100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621

ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:334: send fragment len 85 id 2 index 2 last 1

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900020201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S: request is on the queue

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S: request is on the queue

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S: request is on the queue

ike 0:M2FS2S:333: out 5317B64AFFB2931200000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104AC7B513A51C14B3A612C42E6DC83989D86DA4E0E73F8DE03752699CEC059C70A32D90CCF57029A7032E9077DBFE55798EA6CE02CC2363922064EE621397D770E9288FE1F9ED8569CD8AF8607B1C1100CC71EAD921322DC34E28DF43BD76C2FF9A0A8073832B15132804CD1B403F43F142110859B3AE1E9F49E6CCE57BC37FC3116BC5DB30E27B1ECE57EDB62241FDA32C4636514126D836A48CE210246D82484F6DD19044BB5D78FC613954C51DDEC916CFAE22E5F47488756158E3750CB1521BB43A4B8DB1DA6659FA5BA6D3601C5EC01660419685ECE7A9ED627DDEDAE246366473E9C81C8AD4FAD9C9C8D2FAB5DBD76A7A296BB761859E242E5F10F1087840500001485D2B06DBD1B351F59061C44EBE066410D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

ike 0:M2FS2S:333: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=585, id=5317b64affb29312/0000000000000000

ike 0:M2FS2S:334: fragment on 544 byte boundary

ike 0:M2FS2S:334: send fragment len 544 id 3 index 1 last 0

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400030100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621

ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:334: send fragment len 85 id 3 index 2 last 1

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900030201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:M2FS2S:334: sent IKE msg (P1_RETRANSMIT): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0: comes SANITIZED:500->SANITIZED:500,ifindex=42....

ike 0: IKEv1 exchange=Aggressive id=f9add5f4dab4647a/0000000000000000 len=585

ike 0: in F9ADD5F4DAB4647A00000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104625B9ABBA6185FF7BC6C31992AFCD6FF9C2EBDAB66B805772E70E37D36E0525490E3AF27A901D22FD3611B4B70AB7BBFAC65868FB3D5714C587A034AB7A5730B07F2CF611BC9AFF0C359FE11F2D981A66342F50019FFD5AB5A33736B4825666135F2E4CE931DB755B7C4FC1B7AD55B3F3D58B6B9E4E8790D655F81CA86069C27A0814D6A90687AFFABFA3E3B8E7EF2671BE5E8C896402D7D565F0ABFC5786DEBCD1F463C570A5BACC7DCE0DF53D2D43643079F1C68CC7EB1B6FB0F93656BEC87494573A7FE8B8E28659C3759C84D70FDFAC93231509896ED25AE0E34EFF6D0185630F02ACAFAEDF3ABBFB75D53405E4C8E1EEFB61F88A49F9182F806308321270500001481BF443C271A14ACFAE26FDE85D58D260D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

ike 0:M2FS2S:334: retransmission, re-send last message

ike 0:M2FS2S:334: fragment on 544 byte boundary

ike 0:M2FS2S:334: send fragment len 544 id 4 index 1 last 0

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000002200000020400040100F9ADD5F4DAB4647A810078EA0D7E1C3F01100400000000000000022D0400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104A2A65D0ADDAFD2DB8FB5E6479D1575E8D50D0DB7D091C7B0A788AA75501C308710AF054464BAF736692561F56A3B593432A34B3413A1C8C65DBC5BD18CC85035AD69EB5564903A2CF3679072436EF0A7E0C4A364E2DFFCB91F9132C4ECBA86C554DA226B733A1F537B6657157B82D4337ADC10F22AAEDCD05EF389BACCF9E4F8F661014BE19E182120FDD3DAFA1A7028DE88A7AAF4CD4442BEB6A7FB4B68F53E07A328E2A031E6B6B34CF2D1E83CA6868381F9666ED40F73E938E3BE24595DB46B6B8BAAC44AE361960B17B9C9FEDFC906FFF96D11CCE40EF1EE29B7523EB55956165944EB4450797EBDAE2FC17232FABA2A4724778574CEB577BB619ACA555005000014EC77C577B6B5CDBD5419D06E5CE01CED0800000D0200000061646D696E0D000018CCF29B2813D1D19D2EC4BEDC5AC5C9148F915235140000144A131C81070358455C5728F20E95452F14000018638CBA7594BE235A4E5368B1D48334C3D022486D0D00001823C8FE8D71F0FF6EE2B6586DD6B0F557FE4A5B320D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621

ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=544, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike 0:M2FS2S:334: send fragment len 85 id 4 index 2 last 1

ike 0:M2FS2S:334: out F9ADD5F4DAB4647A810078EA0D7E1C3F8410040000000000000000550000003900040201DE000502BD0D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000

ike 0:M2FS2S:334: sent IKE msg (retransmit): SANITIZED:500->SANITIZED:500, len=85, id=f9add5f4dab4647a/810078ea0d7e1c3f

ike shrank heap by 135168 bytes

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S: request is on the queue

ike 0:M2FS2S:M2FS2S: IPsec SA connect 42 SANITIZED->SANITIZED:0

ike 0:M2FS2S:M2FS2S: using existing connection

ike 0:M2FS2S:M2FS2S: config found

ike 0:M2FS2S: request is on the queue

ike 0:M2FS2S:333: negotiation timeout, deleting

ike 0:M2FS2S: schedule auto-negotiate

ike 0:M2FS2S:334: negotiation timeout, deleting

ike 0:M2FS2S: connection expiring due to phase1 down

ike 0:M2FS2S: deleting

ike 0:M2FS2S: flushing 

ike 0:M2FS2S: flushed 

ike 0:M2FS2S: deleted

ike 0:M2FS2S: set oper down

ike 0:M2FS2S: auto-negotiate connection

ike 0:M2FS2S: created connection: 0x368c1d0 42 SANITIZED->SANITIZED:500.

ike 0:M2FS2S:335: initiator: aggressive mode is sending 1st message...

ike 0:M2FS2S:335: cookie 0995ec555152a014/0000000000000000

ike 0:M2FS2S:335: out 0995EC555152A01400000000000000000110040000000000000002490400003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E008080030001800200028004000E0A000104E6F0669A6C1EE95A29C2AFAE699384B66624B57D523FE577934E9F9AF4D3D817640D9C3AC5917169DF9DF88C54D6B8B454852BC920BEA324EC89E6BE02FC1AB3CDBA63A19A0FB3E9DC6ABD2852FB1C51CDA6915211AF593252BBA7F66C52EE1942EB21FABB9D20AC307AA6372E45E34732D7446571A1E539A0E00D76E78F0A5EA36A936E43996C35A3C2799A6D2FD702FACC20F2D41E86E41C8FEC27E14A34D5BA24AD3C2F2EDB91BBD19759F2AB93FC767741AF7884FA8CEBEBCEA5988DA00147D89CD166F6FE660ADD2379FA2DDDECD9A2E8634BA419B6E010BEF1E64BC70622FF27E0B59EC2915F16508EFBBF31BCB0FE2735795001D5C233F931E4074B1605000014177712296C02408003BF8DEB73EDF27E0D00000D0200000061646D696E0D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE000502BD

 

7131
0 Kudos
1 REPLY 1
ede_pfau
Esteemed Contributor III

Created on ‎01-25-2016 02:01 AM

Hi,

 

and welcome to the forums.

 

- if fragmentation is an issue with your new ISP, have you configured the smaller MTU on the physical interface? The VLAN interface which your VPN is connected to inherits these kind of parameters from it's physical parent.

 

- you use 'localID = admin' on both sides. One should be 'localID' (on the remote FGT), the other 'peerID' (on the central FGT). I don't think that this is the root cause but it needs correction anyway if you want to support more than one tunnel concurrently.

 

- choosing v5.25 on the remote FGT is, ehm, bold. This release is quite new, and has it's issues in some areas. IPsec VPN is not one of them as far as I know but...you should try v5.2.3 (not v5.2.4) as a more stable choice. No idea what version you're using on the central FGT.

Be aware that downgrading might reset your configuration, keep a backup and be ready to restore it.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1185
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.