Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Pradeep_Salunke
New Contributor

Fortigate Firewall Phase-1 negotiation timeout, deleting

Hello All,

 

We have existing IP-sec tunnel which was running fine however suddenly stop working

 

IPsec tunnel between fortigate to Microsoft Azure

 

We have check the proposal and seems to same 

 

took debug which is below

 

>13.80.155.94:500, len=288, id=62ea9b1497f2db6f/69afdeb1de828c91
2024-02-06 12:10:21.328778 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:0
2024-02-06 12:10:21.328839 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: using existing connection
2024-02-06 12:10:21.328859 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: config found
2024-02-06 12:10:21.328884 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:500 negotiating
2024-02-06 12:10:26.338887 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:0
2024-02-06 12:10:26.338944 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: using existing connection
2024-02-06 12:10:26.338965 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: config found
2024-02-06 12:10:26.338990 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:500 negotiating
2024-02-06 12:10:31.348788 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:0
2024-02-06 12:10:31.348938 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: using existing connection
2024-02-06 12:10:31.348964 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: config found
2024-02-06 12:10:31.348993 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:500 negotiating
2024-02-06 12:10:36.358788 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:0
2024-02-06 12:10:36.358879 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: using existing connection
2024-02-06 12:10:36.358903 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: config found
2024-02-06 12:10:36.358933 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:500 negotiating
2024-02-06 12:10:41.368750 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:0
2024-02-06 12:10:41.368839 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: using existing connection
2024-02-06 12:10:41.368864 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: config found
2024-02-06 12:10:41.368893 ike 0:P1_DWOW_Azure:P2_DWOW_Azure: IPsec SA connect 45 81.20.193.58->13.80.155.94:500 negotiating
2024-02-06 12:10:46.098704 ike 0:P1_DWOW_Azure:2420: negotiation timeout, deleting
2024-02-06 12:10:46.106482 ike 0:P1_DWOW_Azure: connection expiring due to phase1 down

 

Can anyone suggest?

3 REPLIES 3
Markus_M
Staff
Staff

Hi Pradeep,

 

with any timeout, go with a packet capture. "Timeout" usually refers to one node sending a message and there is no response. No response in turn can be comprised of that the other node did not receive the message, or that the other node did receive the mesage, but the phrased response is not arriving back at the message sender.

Do a packet capture on both nodes and see what message is sent and not arriving at the other node. Limit the capture to ports 500 and 4500.

 

Best regards,

 

Markus

Toshi_Esumi
Esteemed Contributor III

Did you happen to rename the IPsec phase1 recently or do you happen to have another IPsec with the same peer gateway IP? Just wondering.
CLI "get vpn ipsec tun sum" has only this one?

 

Toshi

hbac
Staff
Staff

Hi @Pradeep_Salunke,

 

I only see one way traffic from the debug. Can you run packet sniffer to confirm that? 

 

di sniffer packet any 'host 13.80.155.94' 4 0 l 

 

Regards, 

Labels
Top Kudoed Authors