FortiWifi 30D-POE
Firmware: v5.2.1, build618
I have set up a Ipsec VPN tunnel connecting a FortiWifi 30D-POE to a FortiGate 600c.
The tunnel comes up and traffic goes thru, until I shut down and restart FortiGate 30D.
When I run #diagnose debug application ike 255 I get the following:
01R56 # ike 0:FG-Kamera:FG-Kamera: IPsec SA connect 6 192.168.1.4->163.174.114.2:0
ike 0:FG-Kamera: could not locate phase1 configuration.
When I run #diagnose vpn ike config list I get the following: (see attached picture)
Going to the VPN Monitor and pressing “bring up tunnel” will not bring up the tunnel.
To complicate things I can bring the tunnel up immediately by making small changes to the phase1 or phase2 setup or nettwork setup, for example enabling or disabling DPD. But when I restart the unit, the tunnel will not come up again.
I have upgraded and downgraded between different firmware versions. The problem persists.
I have tried the same setup on another 30D-POE and it has the same problem.
I have several 40C and 60D in our system working with no problem, and they are seemingly set up identically.
Any suggestions?
Hi,
this sounds like a problem with the Quick Mode selectors.
For a 'static type' site-to-site VPN I recommend filling out both src and dest subnet fields, on both FGTs. I see that for destination you are using a wildcard (0.0.0.0/0). This may or may not work and in your case it does not.
Please give it a try, double check on the other FGT as well (src subnet is ALWAYS local) and a ping should bring up the tunnel. If you enable auto reconnect then the tunnel should be up (again) even if you bring it down manually in the VPN monitor.
Hi
I forgot to mention that this is a dialup connection. The 30D has no static ip as it will be moved between different locations and use different carriers.
Anyway, I tried with destination address and it brought the tunnel up instantly. But when I did a reboot it did not come up again.
For some weird reason the FortiWifi can’t find the phase1 config unless I do a minor change to the system. For example, if I enable and disable the Wifi Access.
Can it somehow be related to “internal” being a software switch? It’s one of few differences I can find between the 40’s and 60’s that I am used to.
Problem solved!
- by updating to firmware 5.2.2
According to the fortios-v5.2.2-release-notes, under what’s new it states “Added hardware switch feature and SPAN functionality to 30D, 60D, and 90D series. Moved PoE ports out of the internal switch to independent interfaces.”
Maybe that was it :)
I just had this problem on a 60D running 5.2.7. Standard site-to-site IPSec tunnel to other 5.2.X firewalls, terminating on the "wan1" interface on the local side. I use a template and this generally "just works".
After upgrading to 5.2.9 the VPNs came right up.
We faced the same issue with FotiOS 6.0.9.
The VPN was working fine before and suddenly it stopped working with the error:
could not locate phase1 configuration
We have tried restarting iked but it didn't work.
We tried a failover because we have a cluster, and the VPN went UP.
I think it is related to a bug in version 6.0.9.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.