Hi everyone
I have a problem when pushing configuration from Fortimanager to Fortinet firewall
I used Fortimanager version v7.2.5-build1574 with evaluation license and pushed the sd-wan overlay template and it noticed the error but I do not see the error on the installation log
I tried to upgrade the firmware on FMG from 7.0.3 to 7.2.5 and the Fortigate from 7.0.5 to 7.2.0 but it did not resolve the problem. I also tried to install each part of the sd-wan overlay template but it had the same problem.
Do you have any idea how we can fix it?
Please help me!
Install log:
Starting log (Run on device)
Start installing
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set interface "WAN1"
Site-30 (HUB1-VPN1) $ set ike-version 2
Site-30 (HUB1-VPN1) $ set comments "VPN: HUB1-VPN1 [Created by IPSEC Template]"
Site-30 (HUB1-VPN1) $ set peertype any
Site-30 (HUB1-VPN1) $ set mode-cfg enable
Site-30 (HUB1-VPN1) $ set localid "Branch30"
Site-30 (HUB1-VPN1) $ set remote-gw 23.1.1.10
Site-30 (HUB1-VPN1) $ set net-device enable
Site-30 (HUB1-VPN1) $ set add-route disable
Site-30 (HUB1-VPN1) $ set psksecret *********************
Site-30 (HUB1-VPN1) $ set network-overlay enable
Site-30 (HUB1-VPN1) $ set network-id 1
Site-30 (HUB1-VPN1) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set vdom "root"
Site-30 (HUB1-VPN1) $ set type tunnel
Site-30 (HUB1-VPN1) $ set snmp-index 113
Site-30 (HUB1-VPN1) $ set interface "WAN1"
Site-30 (HUB1-VPN1) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set interface "WAN2"
Site-30 (HUB1-VPN2) $ set ike-version 2
Site-30 (HUB1-VPN2) $ set comments "VPN: HUB1-VPN2 [Created by IPSEC Template]"
Site-30 (HUB1-VPN2) $ set peertype any
Site-30 (HUB1-VPN2) $ set mode-cfg enable
Site-30 (HUB1-VPN2) $ set localid "Branch30"
Site-30 (HUB1-VPN2) $ set remote-gw 24.1.1.10
Site-30 (HUB1-VPN2) $ set net-device enable
Site-30 (HUB1-VPN2) $ set add-route disable
Site-30 (HUB1-VPN2) $ set psksecret *********************
Site-30 (HUB1-VPN2) $ set network-overlay enable
Site-30 (HUB1-VPN2) $ set network-id 2
Site-30 (HUB1-VPN2) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set vdom "root"
Site-30 (HUB1-VPN2) $ set type tunnel
Site-30 (HUB1-VPN2) $ set snmp-index 114
Site-30 (HUB1-VPN2) $ set interface "WAN2"
Site-30 (HUB1-VPN2) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set interface "WAN3"
Site-30 (HUB1-VPN3) $ set ike-version 2
Site-30 (HUB1-VPN3) $ set comments "VPN: HUB1-VPN3 [Created by IPSEC Template]"
Site-30 (HUB1-VPN3) $ set peertype any
Site-30 (HUB1-VPN3) $ set mode-cfg enable
Site-30 (HUB1-VPN3) $ set localid "Branch30"
Site-30 (HUB1-VPN3) $ set remote-gw 25.1.1.10
Site-30 (HUB1-VPN3) $ set net-device enable
Site-30 (HUB1-VPN3) $ set add-route disable
Site-30 (HUB1-VPN3) $ set psksecret *********************
Site-30 (HUB1-VPN3) $ set network-overlay enable
Site-30 (HUB1-VPN3) $ set network-id 3
Site-30 (HUB1-VPN3) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set vdom "root"
Site-30 (HUB1-VPN3) $ set type tunnel
Site-30 (HUB1-VPN3) $ set snmp-index 115
Site-30 (HUB1-VPN3) $ set interface "WAN3"
Site-30 (HUB1-VPN3) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set interface "port3"
Site-30 (HUB1-VPN4) $ set ike-version 2
Site-30 (HUB1-VPN4) $ set comments "VPN: HUB1-VPN4 [Created by IPSEC Template]"
Site-30 (HUB1-VPN4) $ set peertype any
Site-30 (HUB1-VPN4) $ set mode-cfg enable
Site-30 (HUB1-VPN4) $ set localid "Branch30"
Site-30 (HUB1-VPN4) $ set remote-gw 26.1.1.10
Site-30 (HUB1-VPN4) $ set net-device enable
Site-30 (HUB1-VPN4) $ set add-route disable
Site-30 (HUB1-VPN4) $ set psksecret *********************
Site-30 (HUB1-VPN4) $ set network-overlay enable
Site-30 (HUB1-VPN4) $ set network-id 4
Site-30 (HUB1-VPN4) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set vdom "root"
Site-30 (HUB1-VPN4) $ set type tunnel
Site-30 (HUB1-VPN4) $ set snmp-index 116
Site-30 (HUB1-VPN4) $ set interface "port3"
Site-30 (HUB1-VPN4) $ next
Site-30 (interface) $ edit "Branch30-Lo"
Site-30 (Branch30-Lo) $ set vdom "root"
Site-30 (Branch30-Lo) $ set ip 172.16.0.30 255.255.255.255
Site-30 (Branch30-Lo) $ set allowaccess ping
Site-30 (Branch30-Lo) $ set type loopback
Site-30 (Branch30-Lo) $ set snmp-index 117
Site-30 (Branch30-Lo) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase2-interface
Site-30 (phase2-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set phase1name "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set auto-negotiate enable
Site-30 (HUB1-VPN1) $ set comments "VPN: HUB1-VPN1 [Created by IPSEC Template]"
Site-30 (HUB1-VPN1) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set phase1name "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set auto-negotiate enable
Site-30 (HUB1-VPN2) $ set comments "VPN: HUB1-VPN2 [Created by IPSEC Template]"
Site-30 (HUB1-VPN2) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set phase1name "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set auto-negotiate enable
Site-30 (HUB1-VPN3) $ set comments "VPN: HUB1-VPN3 [Created by IPSEC Template]"
Site-30 (HUB1-VPN3) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set phase1name "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set auto-negotiate enable
Site-30 (HUB1-VPN4) $ set comments "VPN: HUB1-VPN4 [Created by IPSEC Template]"
Site-30 (HUB1-VPN4) $ next
Site-30 (phase2-interface) $ end
Site-30 $ config system sdwan
Site-30 (sdwan) $ config members
Site-30 (members) $ edit 4
Site-30 (4) $ set interface "HUB1-VPN1"
Site-30 (4) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (4) $ next
Site-30 (members) $ edit 5
Site-30 (5) $ set interface "HUB1-VPN2"
Site-30 (5) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (5) $ next
Site-30 (members) $ edit 6
Site-30 (6) $ set interface "HUB1-VPN3"
Site-30 (6) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (6) $ next
Site-30 (members) $ edit 7
Site-30 (7) $ set interface "HUB1-VPN4"
Site-30 (7) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (7) $ next
Site-30 (members) $ edit 8
Site-30 (8) $ set gateway 26.1.1.1
Site-30 (8) $ next
Site-30 (members) $ move 8 after 7
Site-30 (members) $ end
Site-30 (sdwan) $ config health-check
Site-30 (health-check) $ edit "HUB1_HC"
Site-30 (HUB1_HC) $ set server 172.16.255.253
Site-30 (HUB1_HC) $ set update-cascade-interface disable
Site-30 (HUB1_HC) $ set update-static-route disable
Site-30 (HUB1_HC) $ set sla-fail-log-period 10
Site-30 (HUB1_HC) $ set sla-pass-log-period 10
Site-30 (HUB1_HC) $ config sla
Site-30 (sla) $ edit 1
Site-30 (1) $ set latency-threshold 255
Site-30 (1) $ set jitter-threshold 55
Site-30 (1) $ set packetloss-threshold 1
Site-30 (1) $ next
Site-30 (sla) $ end
Site-30 (HUB1_HC) $ next
Site-30 (health-check) $ end
Site-30 (sdwan) $ end
Site-30 $ config router prefix-list
Site-30 (prefix-list) $ edit "all_prefixes"
Site-30 (all_prefixes) $ config rule
Site-30 (rule) $ edit 1
Site-30 (1) $ set prefix any
Site-30 (1) $ unset ge
Site-30 (1) $ unset le
Site-30 (1) $ next
Site-30 (rule) $ end
Site-30 (all_prefixes) $ next
Site-30 (prefix-list) $ end
Site-30 $ config router route-map
Site-30 (route-map) $ edit "port2_only"
Site-30 (port2_only) $ config rule
Site-30 (rule) $ edit 1
Site-30 (1) $ set match-interface "port2"
Site-30 (1) $ next
Site-30 (rule) $ edit 2
Site-30 (2) $ set action deny
Site-30 (2) $ set match-ip-address "all_prefixes"
Site-30 (2) $ next
Site-30 (rule) $ end
Site-30 (port2_only) $ next
Site-30 (route-map) $ end
Site-30 $ config router bgp
Site-30 (bgp) $ set as 65000
Site-30 (bgp) $ set router-id 172.16.0.30
Site-30 (bgp) $ set ibgp-multipath enable
Site-30 (bgp) $ set graceful-restart enable
Site-30 (bgp) $ config neighbor
Site-30 (neighbor) $ edit "10.10.127.253"
Site-30 (10.10.127.253) $ set advertisement-interval 1
Site-30 (10.10.127.253) $ set capability-graceful-restart enable
Site-30 (10.10.127.253) $ set link-down-failover enable
Site-30 (10.10.127.253) $ set soft-reconfiguration enable
Site-30 (10.10.127.253) $ set description "HUB1-VPN2"
Site-30 (10.10.127.253) $ set interface "HUB1-VPN2"
Site-30 (10.10.127.253) $ set remote-as 65000
Site-30 (10.10.127.253) $ set connect-timer 10
Site-30 (10.10.127.253) $ next
Site-30 (neighbor) $ edit "10.10.191.253"
Site-30 (10.10.191.253) $ set advertisement-interval 1
Site-30 (10.10.191.253) $ set capability-graceful-restart enable
Site-30 (10.10.191.253) $ set link-down-failover enable
Site-30 (10.10.191.253) $ set soft-reconfiguration enable
Site-30 (10.10.191.253) $ set description "HUB1-VPN3"
Site-30 (10.10.191.253) $ set interface "HUB1-VPN3"
Site-30 (10.10.191.253) $ set remote-as 65000
Site-30 (10.10.191.253) $ set connect-timer 10
Site-30 (10.10.191.253) $ next
Site-30 (neighbor) $ edit "10.10.255.253"
Site-30 (10.10.255.253) $ set advertisement-interval 1
Site-30 (10.10.255.253) $ set capability-graceful-restart enable
Site-30 (10.10.255.253) $ set link-down-failover enable
Site-30 (10.10.255.253) $ set soft-reconfiguration enable
Site-30 (10.10.255.253) $ set description "HUB1-VPN4"
Site-30 (10.10.255.253) $ set interface "HUB1-VPN4"
Site-30 (10.10.255.253) $ set remote-as 65000
Site-30 (10.10.255.253) $ set connect-timer 10
Site-30 (10.10.255.253) $ next
Site-30 (neighbor) $ edit "10.10.63.253"
Site-30 (10.10.63.253) $ set advertisement-interval 1
Site-30 (10.10.63.253) $ set capability-graceful-restart enable
Site-30 (10.10.63.253) $ set link-down-failover enable
Site-30 (10.10.63.253) $ set soft-reconfiguration enable
Site-30 (10.10.63.253) $ set description "HUB1-VPN1"
Site-30 (10.10.63.253) $ set interface "HUB1-VPN1"
Site-30 (10.10.63.253) $ set remote-as 65000
Site-30 (10.10.63.253) $ set connect-timer 10
Site-30 (10.10.63.253) $ next
Site-30 (neighbor) $ end
Site-30 (bgp) $ config redistribute "connected"
Site-30 (connected) $ set status enable
Site-30 (connected) $ set route-map "port2_only"
Site-30 (connected) $ end
Site-30 (bgp) $ end
---> generating verification report
(vdom root: vpn ipsec phase1-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: system sdwan health-check "HUB1_HC":members)
remote original: 0
to be installed:
<--- done generating verification report
------- Start to retry --------
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ unset proposal
Site-30 (HUB1-VPN1) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ unset proposal
Site-30 (HUB1-VPN2) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ unset proposal
Site-30 (HUB1-VPN3) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ unset proposal
Site-30 (HUB1-VPN4) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config vpn ipsec phase2-interface
Site-30 (phase2-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ unset proposal
Site-30 (HUB1-VPN1) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ unset proposal
Site-30 (HUB1-VPN2) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ unset proposal
Site-30 (HUB1-VPN3) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ unset proposal
Site-30 (HUB1-VPN4) $ next
Site-30 (phase2-interface) $ end
Site-30 $ config system sdwan
Site-30 (sdwan) $ config health-check
Site-30 (health-check) $ edit "HUB1_HC"
Site-30 (HUB1_HC) $ unset members
Site-30 (HUB1_HC) $ next
Warning: health-check HUB1_HC does not have members. It may not work as expected.
Site-30 (health-check) $ end
Site-30 (sdwan) $ end
---> generating verification report
(vdom root: vpn ipsec phase1-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase1-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:
(vdom root: vpn ipsec phase2-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:
<--- done generating verification report
install failed
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @BinhDien ,
Which model of Fortigate is this? I have seen this issue happen when a certain model of Fortigate is yet to be supported fully by FortiManager. The issue as per the log is FortiManager is expecting the phase2-interface proposal to be unset, whereas the unset is not working when the verification report is being generated. FMG re-attempted to unset this, and still failed and hence the installation failed.
Hi @BinhDien ,
Which model of Fortigate is this? I have seen this issue happen when a certain model of Fortigate is yet to be supported fully by FortiManager. The issue as per the log is FortiManager is expecting the phase2-interface proposal to be unset, whereas the unset is not working when the verification report is being generated. FMG re-attempted to unset this, and still failed and hence the installation failed.
Hi @mpapisetty
Thank for your reply.
I use Fortigate and Fortimanager KVM for practice lab so I do not have a contract to support fully from Fortinet
I'll reconfigured phase2-interface before push configuration to Fortigate and I'll lets you know if the problem can resolve or not
I have reconfigured the phase2-interface proposal and it resolved
Because Fortigate with an evaluation license does not support the proposal created by Fortimanager. I have changed it and the pushing configuration is done.
Thank you very much!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.