Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You must create a separate phase-2 selector on the fortigate for every subnet you have defined in the Cisco's VPN configuration.
For example:
Lets say you have 1 subnet behind the Fortigate.
You need to reach 5 subnets behind the ASA though the VPN.
You probably created an network object-group in the Cisco ASDM and listed the 5 subnets under 1 object-group.
This configuration requires 5 separate phase-2 selectors on the fortigate.
If you have 2 subnets behind the fortigate and 5 behind the Cisco, you need to create 10 phase-2 selectors. This is assuming you aren't able to summarize the local and remote networks.
Without the asa cfg review you are limited in your diagnostics. You have a host of issues that could cause problems.
Please search here in this forum for ASA-2-FGT vpn cfgs.
Or at http://socpuppet.blogspot.com/2014/05/site-2-site-vpn-fortinet-fortigate-to.html
For trouble-shooting you will need to execute a few items. Here's some basic from the fortigate side of things;
http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
PCNSE
NSE
StrongSwan
Hi,
" IPsec DPD failure" would cause the ipsec tunnel flap. dpd messages are exchanged to check the liveliness of the ipsec peer/tunnel. if these dpd packets are missed for 3 times each sending every 5 seconds, tunnel will be torn down. first it would be worth to check if the asa receives the dpd packets when FGT sends it or these packets are dropped in the transit path.
You can check the dpd packets using the ike debug in FGT.
diag debug reset
diag vpn ike log-filter dst-addr4 <peer_ip>
diag debug app ike -1
diag debug enable
to turn off the debug
diag debug reset
diag debug disable
if the tunnel are flapped due to dpd loss of packets, you may try disabling the dpd. You can disable dpd from FGT from Phase1 settings in GUI. and disable from asa side also.
Rewanta
Hi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1593 | |
1045 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.