- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Adding a second VPN Tunnel with Cisco ASA
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding a second VPN Tunnel with Cisco ASA
Hello everyone
Im trying to add a second VPN tunnel to our fortigate. everything seems ok and the tunnel is up but no communication between the two sites.
Trace route on CLi on fortigate just drops
Traceroute from lan goes to the internet and drops
I used a wizard to create the tunnel. On our side we have Fortigate 200D and the other end is a Cisco ASA
diag gateway list results below
vd: root/0
name: XXXXXXXXXXXXX
version: 1
interface: port6 15
addr: XXXXXXXXXXXX:500 -> XXXXXXXXXXXXX:500
created: 5038s ago
IKE SA: created 1/1 established 1/1 time 630/630/630 ms
IPsec SA: created 5/85 established 5/5 time 180/358/800 ms
id/spi: 2 e9e783ffee4b81ee/557d82bf62f157f8
direction: initiator
status: established 5038-5037s ago = 630ms
proposal: aes256-sha1
key: f1cf0d0329195bdc-683d8c0d7660f9ce-af2786dfc8dd072b-310f90e043bc78a9
lifetime/rekey: 43200/37862
DPD sent/recv: 00000000/00000000
vd: root/0
name: YYYYYYYYYYYYYYYYY
version: 1
interface: port6 15
addr: YYYYYYYYYYYY:500 -> YYYYYYYYYYYYYYYY:500
created: 443s ago
IKE SA: created 1/1 established 1/1 time 670/670/670 ms
IPsec SA: created 1/1 established 1/1 time 890/890/890 ms
id/spi: 16 144ca8e0a32ae987/128dced7496e5590
direction: initiator
status: established 443-442s ago = 670ms
proposal: aes256-sha1
key: 1ea51db8c63bf1e9-73cc692d2d2fa48f-f14ad0ffe946bccf-6712eab0676207db
lifetime/rekey: 86400/85657
DPD sent/recv: 000038d2/00000000
Any idea of what i'm doing wrong?
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it was the same but ive just made it lower now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The same won't work.
Rather... The same may not work. If the two are the same, the FGT will choose which path to take to reach the remote subnet. By using a lower distance, you force the FGT to use the path you chose.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ive made it lower and still no luck
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the traffic goes out on the internet interface there's something wrong with the routing or the local/remote subnet specified in the tunnel configuration.
Are you sure you're using Interface based VPN?
And your static route is pointing on the IPSEC interface?
Btw..
Have you tried to turn off DPD?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post the result of "get router info routing-table all"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
# get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 62.173.44.193, port6 S 10.6.4.108/30 [5/0] via 10.38.0.33, port3 S 10.10.16.0/24 [10/0] via 10.38.0.33, port3 C 10.38.0.32/28 is directly connected, port3 C 62.173.44.0/24 is directly connected, port6 is directly connected, port6 C 62.173.44.192/30 is directly connected, port6 S 192.168.0.0/24 [10/0] is directly connected, VPN 1 C 192.168.1.0/24 is directly connected, port2 S 192.168.6.0/24 [10/0] is directly connected, VPN 1 S 192.168.14.0/24 [10/0] is directly connected, VPN 1 C 192.168.20.0/24 is directly connected, port5 C 192.168.21.0/24 is directly connected, port4 C 192.168.40.0/22 is directly connected, port7 S 192.168.44.0/24 [5/0] via 10.38.0.43, port3 S 192.168.45.0/24 [5/0] via 10.38.0.44, port3 --More-- S 192.168.46.0/24 [5/0] via 10.38.0.37, port3 --More-- S 192.168.47.0/24 [5/0] via 10.38.0.39, port3 --More-- S 192.168.48.0/24 [5/0] via 10.38.0.46, port3 --More-- S 192.168.49.0/24 [10/0] via 10.38.0.33, port3 --More-- C 192.168.100.0/24 is directly connected, lan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now the VPN is down and it no longer coming up
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To me it looks like you have the same Distance configured on the default route and the route to VPN interface.
Try to change the distance to 5 on the VPN interface.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much Nilsan. Ill try that and lt you know how it goes
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nissan i changed the default route and still the same issue. I think that the problem is from the Cisco ASA side
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSL VPN STUCK AT 98% 91 Views
- Sophos Red Router 79 Views
- FGT-VM - Firewall policy doesn't function 83 Views
- Installing FSSO Agent on AD server 153 Views
- GRE tunnel issues getting to websites 122 Views
Labels
-
FortiGate
7,225 -
FortiClient
1,425 -
5.2
801 -
5.4
639 -
FortiManager
624 -
FortiAnalyzer
464 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
130 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiSandbox
36 -
FortiExtender
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
Virtual IP
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiNDR
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1084 | |
| 892 | |
| 535 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.