- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Adding a second VPN Tunnel with Cisco ASA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding a second VPN Tunnel with Cisco ASA
Hello everyone
Im trying to add a second VPN tunnel to our fortigate. everything seems ok and the tunnel is up but no communication between the two sites.
Trace route on CLi on fortigate just drops
Traceroute from lan goes to the internet and drops
I used a wizard to create the tunnel. On our side we have Fortigate 200D and the other end is a Cisco ASA
diag gateway list results below
vd: root/0
name: XXXXXXXXXXXXX
version: 1
interface: port6 15
addr: XXXXXXXXXXXX:500 -> XXXXXXXXXXXXX:500
created: 5038s ago
IKE SA: created 1/1 established 1/1 time 630/630/630 ms
IPsec SA: created 5/85 established 5/5 time 180/358/800 ms
id/spi: 2 e9e783ffee4b81ee/557d82bf62f157f8
direction: initiator
status: established 5038-5037s ago = 630ms
proposal: aes256-sha1
key: f1cf0d0329195bdc-683d8c0d7660f9ce-af2786dfc8dd072b-310f90e043bc78a9
lifetime/rekey: 43200/37862
DPD sent/recv: 00000000/00000000
vd: root/0
name: YYYYYYYYYYYYYYYYY
version: 1
interface: port6 15
addr: YYYYYYYYYYYY:500 -> YYYYYYYYYYYYYYYY:500
created: 443s ago
IKE SA: created 1/1 established 1/1 time 670/670/670 ms
IPsec SA: created 1/1 established 1/1 time 890/890/890 ms
id/spi: 16 144ca8e0a32ae987/128dced7496e5590
direction: initiator
status: established 443-442s ago = 670ms
proposal: aes256-sha1
key: 1ea51db8c63bf1e9-73cc692d2d2fa48f-f14ad0ffe946bccf-6712eab0676207db
lifetime/rekey: 86400/85657
DPD sent/recv: 000038d2/00000000
Any idea of what i'm doing wrong?
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you create a Policy?
Can you print the configuration for the tunnel?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nissan,
Thanks for the response. Yes the policy was created. I used the wizard to create the tunnel, then i converted it to a custom tunnel and changed the Phase 1 and phase 2 parameters to match the remote site
P1
AES256 SHA1 5
AES256 SHA1 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, have you defined the local and remote network?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes i've done that.
see diag debug log below
_FGT_200D # 2016-03-08 16:21:17 ike 0:Tunnel: link is idle 15 XXXXX->YYYYYYY:0 dpd=1 seqno=3bef 2016-03-08 16:21:17 ike 0:Tunnel:364: send IKEv1 DPD probe, seqno 15343 2016-03-08 16:21:17 ike 0:Tunnel:364: enc 29FF8527190383F0A85AA0B27891ABB8081005014692C10B000000540B000018257404B5C398CF51D97E8571E0C5018BFD202628000000200000000101108D2829FF8527190383F0A85AA0B27891ABB800003BEF 2016-03-08 16:21:17 ike 0:tunnel:364: out 29FF8527190383F0A85AA0B27891ABB8081005014692C10B0000005C3FDFB81A9B0CE4C830E4667D408B8C90BE00B41488892DA9639857C5FF0AF8B9B5B5B6396FC61C73E339B28CCA51EC792E75474D91F753B0BF41742E0F4F5D00 2016-03-08 16:21:17 ike 0:tunnel:364: sent IKE msg (R-U-THERE): XXXXXXXX:500->YYYYYYYYYYY:500, len=92, id=29ff8527190383f0/a85aa0b27891abb8:4692c10b 2016-03-08 16:21:18 ike 0: comes XXXXXXX:500->YYYYYYYYYY:500,ifindex=15.... 2016-03-08 16:21:18 ike 0: IKEv1 exchange=Informational id=29ff8527190383f0/a85aa0b27891abb8:86580cf7 len=92 2016-03-08 16:21:18 ike 0: in 29FF8527190383F0A85AA0B27891ABB80810050186580CF70000005C35B2870A18521512EEA5BB1A07A73AC50E1DD9271DB18D8A75133EC293F824C262F03D40C8C3DC2058EE67703D361C5D7D1406567C141E349D9BF895F04F8054 2016-03-08 16:21:18 ike 0:tunnel:364: dec 29FF8527190383F0A85AA0B27891ABB80810050186580CF70000005C0B00001851F0653B991BF216C1F125C8AA5DB9543B20A7B9000000200000000101108D2929FF8527190383F0A85AA0B27891ABB800003BEF0000000000000000 2016-03-08 16:21:18 ike 0:tunnel:364: notify msg received: R-U-THERE-ACK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help still needed. Tunnel up but no traffic
The event log shows dpd failure but it shows that both the p1 and p2 are successful
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If interface mode, did you set the static route?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Bob,
Yes i did.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also noticed that traffic is not going through the tunnel. The traffic seems to be going to the internet directly and dropping
Im at a total loss
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the distance of the static route lower than that of your default gateway?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSL VPN STUCK AT 98% 91 Views
- Sophos Red Router 80 Views
- FGT-VM - Firewall policy doesn't function 83 Views
- Installing FSSO Agent on AD server 153 Views
- GRE tunnel issues getting to websites 122 Views
Labels
-
FortiGate
7,225 -
FortiClient
1,425 -
5.2
801 -
5.4
639 -
FortiManager
624 -
FortiAnalyzer
464 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
130 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiSandbox
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
Virtual IP
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1084 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.