Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pan_da
New Contributor

Site-Site VPN issue

HI,
I have created a SS VPN with Cisco ASA. 
Unless the remote site (ASA) initiates the ping, the VPN tunnel remains down. As soon as the ping is initiated from asa, everything works.
Can anyone help me with this? 

Drishti Khampa
8 REPLIES 8
akristof
Staff
Staff

Hello,

 

Thank you for your question. So if you manually bring phase2 up or traffic is initiated from client behind the FortiGate, tunnel is down? Can you verify if phase1 is up but phase2 not? Are you using address group in selectors in phase2? Can you share:

diag vpn ike gateway list name <tunnel_name>

diag vpn tunnel list name <tunnel_name>

Adrian
pan_da

pan_da_2-1648629990585.pngpan_da_3-1648630002745.pngpan_da_4-1648630016540.png

 

Drishti Khampa
pan_da
New Contributor

pan_da_0-1648632224798.png

when the tunnel is down

Drishti Khampa
akristof

Thank you.

So phase1 is up, phase2 is down. In that case, I recommend to enable debug as my colleague suggested, manually bring phase2 up from GUI and check what kind of error is happening during negotiation.

Adrian
vponmuniraj
Staff
Staff

Hi,

 

You can perform a debug to understand where the VPN fails during negotiation. 

 

diag deb reset

diag vpn ike log-filter clear

diag vpn ike log-filter dst-addr4 <peer IP>

diag deb appl ike -1

diag deb en

 

Regards,

Vignesh.
pan_da

pan_da_0-1648701273366.png

 

22.png33.png44.png

Drishti Khampa
pan_da

1.png22.png33.png44.png

Drishti Khampa
akristof

Hi,

from last screenshot, FGT is receiving No proposal chosen message. So you will need to verify Cisco's side to see why it is not matching. Usually it is related to selectors, but you should see it via debug on ASA.

Adrian