Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Emma02
New Contributor II

FortiGate 100E VPN Error: "Phase 2 Mismatch" After Firmware Update to v6.4.5

Hello everyone,

 

I recently updated my FortiGate 100E to firmware version v6.4.5. After the update, I've been encountering a persistent issue with my site-to-site VPN. Every time I try to establish a connection, it fails, and I get a "Phase 2 Mismatch" error in the logs.

 

Before this update, my VPN connection was stable, and there were no issues. The only recent change I made, besides the firmware update, was adding a few firewall policies, but none that should affect the VPN, as far as I can tell. I've double-checked my VPN settings and phase 2 configurations on both ends, and they match.

 

Has anyone else faced a similar issue after updating to v6.4.5? Any guidance on troubleshooting this would be greatly appreciated.

 

I also check this - https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Possible-reasons-for-FortiClient-SSL...blue prism course

https://www.reddit.com/r/fortinet/comments/qzq8mu/invalid_http_request_with_azure_saml_ssl_vpn/?rdt=...

 

Thank you in advance!

Emma Wilson
Emma Wilson
2 REPLIES 2
asengar
Staff
Staff

Hi @Emma02 

Can you confirm if the both ends is FGT or its between FGT to other device.
Which the ike version you are using is it ike v1 (main or aggressive) or ike v2

Also share the ike debugs:

dia vpn ike log-filter dst-addr4  x.x.x.x   >>> x.x.x.x is the remote gateway

dia debug application ike -1

dia debug enable

 

to disable the logs give below command

dia debug disable

Also there is no any known issues for the same in 6.4.5, refer the below document

https://docs.fortinet.com/document/fortigate/6.4.5/fortios-release-notes/236526/known-issues

@bhishek
Muhammad_Haiqal

Hi @Emma02 ,

I believe this VPN is connected between Fortigate and other vendor.
Most likely this issue is on the phase2.

Some vendor cannot accept Fortigate phase2 grouping.
The solution is to seperate each of the phase2 subnet.

Example:

Local network:
192.168.10.0/24  << number 1
192.168.20.0/24  << number 2

Do not put that 2 subnet in group. Instead, make it individual.
Reference:

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/666100/ipsec-vpn-between-a-fortigate-an...

haiqal
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors