Fortimanager: Verify state: install OK/verify FAIL

BinhDien · ‎08-07-2024

Hi everyone

I have a problem when pushing configuration from Fortimanager to Fortinet firewall

I used Fortimanager version v7.2.5-build1574 with evaluation license and pushed the sd-wan overlay template and it noticed the error but I do not see the error on the installation log

I tried to upgrade the firmware on FMG from 7.0.3 to 7.2.5 and the Fortigate from 7.0.5 to 7.2.0 but it did not resolve the problem. I also tried to install each part of the sd-wan overlay template but it had the same problem.

Do you have any idea how we can fix it?

Please help me!

Install log:

Starting log (Run on device)


Start installing
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set interface "WAN1"
Site-30 (HUB1-VPN1) $ set ike-version 2
Site-30 (HUB1-VPN1) $ set comments "VPN: HUB1-VPN1 [Created by IPSEC Template]"
Site-30 (HUB1-VPN1) $ set peertype any
Site-30 (HUB1-VPN1) $ set mode-cfg enable
Site-30 (HUB1-VPN1) $ set localid "Branch30"
Site-30 (HUB1-VPN1) $ set remote-gw 23.1.1.10
Site-30 (HUB1-VPN1) $ set net-device enable
Site-30 (HUB1-VPN1) $ set add-route disable
Site-30 (HUB1-VPN1) $ set psksecret *********************
Site-30 (HUB1-VPN1) $ set network-overlay enable
Site-30 (HUB1-VPN1) $ set network-id 1
Site-30 (HUB1-VPN1) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set vdom "root"
Site-30 (HUB1-VPN1) $ set type tunnel
Site-30 (HUB1-VPN1) $ set snmp-index 113
Site-30 (HUB1-VPN1) $ set interface "WAN1"
Site-30 (HUB1-VPN1) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set interface "WAN2"
Site-30 (HUB1-VPN2) $ set ike-version 2
Site-30 (HUB1-VPN2) $ set comments "VPN: HUB1-VPN2 [Created by IPSEC Template]"
Site-30 (HUB1-VPN2) $ set peertype any
Site-30 (HUB1-VPN2) $ set mode-cfg enable
Site-30 (HUB1-VPN2) $ set localid "Branch30"
Site-30 (HUB1-VPN2) $ set remote-gw 24.1.1.10
Site-30 (HUB1-VPN2) $ set net-device enable
Site-30 (HUB1-VPN2) $ set add-route disable
Site-30 (HUB1-VPN2) $ set psksecret *********************
Site-30 (HUB1-VPN2) $ set network-overlay enable
Site-30 (HUB1-VPN2) $ set network-id 2
Site-30 (HUB1-VPN2) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set vdom "root"
Site-30 (HUB1-VPN2) $ set type tunnel
Site-30 (HUB1-VPN2) $ set snmp-index 114
Site-30 (HUB1-VPN2) $ set interface "WAN2"
Site-30 (HUB1-VPN2) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set interface "WAN3"
Site-30 (HUB1-VPN3) $ set ike-version 2
Site-30 (HUB1-VPN3) $ set comments "VPN: HUB1-VPN3 [Created by IPSEC Template]"
Site-30 (HUB1-VPN3) $ set peertype any
Site-30 (HUB1-VPN3) $ set mode-cfg enable
Site-30 (HUB1-VPN3) $ set localid "Branch30"
Site-30 (HUB1-VPN3) $ set remote-gw 25.1.1.10
Site-30 (HUB1-VPN3) $ set net-device enable
Site-30 (HUB1-VPN3) $ set add-route disable
Site-30 (HUB1-VPN3) $ set psksecret *********************
Site-30 (HUB1-VPN3) $ set network-overlay enable
Site-30 (HUB1-VPN3) $ set network-id 3
Site-30 (HUB1-VPN3) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set vdom "root"
Site-30 (HUB1-VPN3) $ set type tunnel
Site-30 (HUB1-VPN3) $ set snmp-index 115
Site-30 (HUB1-VPN3) $ set interface "WAN3"
Site-30 (HUB1-VPN3) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set interface "port3"
Site-30 (HUB1-VPN4) $ set ike-version 2
Site-30 (HUB1-VPN4) $ set comments "VPN: HUB1-VPN4 [Created by IPSEC Template]"
Site-30 (HUB1-VPN4) $ set peertype any
Site-30 (HUB1-VPN4) $ set mode-cfg enable
Site-30 (HUB1-VPN4) $ set localid "Branch30"
Site-30 (HUB1-VPN4) $ set remote-gw 26.1.1.10
Site-30 (HUB1-VPN4) $ set net-device enable
Site-30 (HUB1-VPN4) $ set add-route disable
Site-30 (HUB1-VPN4) $ set psksecret *********************
Site-30 (HUB1-VPN4) $ set network-overlay enable
Site-30 (HUB1-VPN4) $ set network-id 4
Site-30 (HUB1-VPN4) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config system interface
Site-30 (interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set vdom "root"
Site-30 (HUB1-VPN4) $ set type tunnel
Site-30 (HUB1-VPN4) $ set snmp-index 116
Site-30 (HUB1-VPN4) $ set interface "port3"
Site-30 (HUB1-VPN4) $ next
Site-30 (interface) $ edit "Branch30-Lo"
Site-30 (Branch30-Lo) $ set vdom "root"
Site-30 (Branch30-Lo) $ set ip 172.16.0.30 255.255.255.255
Site-30 (Branch30-Lo) $ set allowaccess ping
Site-30 (Branch30-Lo) $ set type loopback
Site-30 (Branch30-Lo) $ set snmp-index 117
Site-30 (Branch30-Lo) $ next
Site-30 (interface) $ end
Site-30 $ config vpn ipsec phase2-interface
Site-30 (phase2-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set phase1name "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ set auto-negotiate enable
Site-30 (HUB1-VPN1) $ set comments "VPN: HUB1-VPN1 [Created by IPSEC Template]"
Site-30 (HUB1-VPN1) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set phase1name "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ set auto-negotiate enable
Site-30 (HUB1-VPN2) $ set comments "VPN: HUB1-VPN2 [Created by IPSEC Template]"
Site-30 (HUB1-VPN2) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set phase1name "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ set auto-negotiate enable
Site-30 (HUB1-VPN3) $ set comments "VPN: HUB1-VPN3 [Created by IPSEC Template]"
Site-30 (HUB1-VPN3) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set phase1name "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ set auto-negotiate enable
Site-30 (HUB1-VPN4) $ set comments "VPN: HUB1-VPN4 [Created by IPSEC Template]"
Site-30 (HUB1-VPN4) $ next
Site-30 (phase2-interface) $ end
Site-30 $ config system sdwan
Site-30 (sdwan) $ config members
Site-30 (members) $ edit 4
Site-30 (4) $ set interface "HUB1-VPN1"
Site-30 (4) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (4) $ next
Site-30 (members) $ edit 5
Site-30 (5) $ set interface "HUB1-VPN2"
Site-30 (5) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (5) $ next
Site-30 (members) $ edit 6
Site-30 (6) $ set interface "HUB1-VPN3"
Site-30 (6) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (6) $ next
Site-30 (members) $ edit 7
Site-30 (7) $ set interface "HUB1-VPN4"
Site-30 (7) $ set zone "SDWAN_IPSec_Overlay"
Site-30 (7) $ next
Site-30 (members) $ edit 8
Site-30 (8) $ set gateway 26.1.1.1
Site-30 (8) $ next
Site-30 (members) $ move 8 after 7
Site-30 (members) $ end
Site-30 (sdwan) $ config health-check
Site-30 (health-check) $ edit "HUB1_HC"
Site-30 (HUB1_HC) $ set server 172.16.255.253
Site-30 (HUB1_HC) $ set update-cascade-interface disable
Site-30 (HUB1_HC) $ set update-static-route disable
Site-30 (HUB1_HC) $ set sla-fail-log-period 10
Site-30 (HUB1_HC) $ set sla-pass-log-period 10
Site-30 (HUB1_HC) $ config sla
Site-30 (sla) $ edit 1
Site-30 (1) $ set latency-threshold 255
Site-30 (1) $ set jitter-threshold 55
Site-30 (1) $ set packetloss-threshold 1
Site-30 (1) $ next
Site-30 (sla) $ end
Site-30 (HUB1_HC) $ next
Site-30 (health-check) $ end
Site-30 (sdwan) $ end
Site-30 $ config router prefix-list
Site-30 (prefix-list) $ edit "all_prefixes"
Site-30 (all_prefixes) $ config rule
Site-30 (rule) $ edit 1
Site-30 (1) $ set prefix any
Site-30 (1) $ unset ge
Site-30 (1) $ unset le
Site-30 (1) $ next
Site-30 (rule) $ end
Site-30 (all_prefixes) $ next
Site-30 (prefix-list) $ end
Site-30 $ config router route-map
Site-30 (route-map) $ edit "port2_only"
Site-30 (port2_only) $ config rule
Site-30 (rule) $ edit 1
Site-30 (1) $ set match-interface "port2"
Site-30 (1) $ next
Site-30 (rule) $ edit 2
Site-30 (2) $ set action deny
Site-30 (2) $ set match-ip-address "all_prefixes"
Site-30 (2) $ next
Site-30 (rule) $ end
Site-30 (port2_only) $ next
Site-30 (route-map) $ end
Site-30 $ config router bgp
Site-30 (bgp) $ set as 65000
Site-30 (bgp) $ set router-id 172.16.0.30
Site-30 (bgp) $ set ibgp-multipath enable
Site-30 (bgp) $ set graceful-restart enable
Site-30 (bgp) $ config neighbor
Site-30 (neighbor) $ edit "10.10.127.253"
Site-30 (10.10.127.253) $ set advertisement-interval 1
Site-30 (10.10.127.253) $ set capability-graceful-restart enable
Site-30 (10.10.127.253) $ set link-down-failover enable
Site-30 (10.10.127.253) $ set soft-reconfiguration enable
Site-30 (10.10.127.253) $ set description "HUB1-VPN2"
Site-30 (10.10.127.253) $ set interface "HUB1-VPN2"
Site-30 (10.10.127.253) $ set remote-as 65000
Site-30 (10.10.127.253) $ set connect-timer 10
Site-30 (10.10.127.253) $ next
Site-30 (neighbor) $ edit "10.10.191.253"
Site-30 (10.10.191.253) $ set advertisement-interval 1
Site-30 (10.10.191.253) $ set capability-graceful-restart enable
Site-30 (10.10.191.253) $ set link-down-failover enable
Site-30 (10.10.191.253) $ set soft-reconfiguration enable
Site-30 (10.10.191.253) $ set description "HUB1-VPN3"
Site-30 (10.10.191.253) $ set interface "HUB1-VPN3"
Site-30 (10.10.191.253) $ set remote-as 65000
Site-30 (10.10.191.253) $ set connect-timer 10
Site-30 (10.10.191.253) $ next
Site-30 (neighbor) $ edit "10.10.255.253"
Site-30 (10.10.255.253) $ set advertisement-interval 1
Site-30 (10.10.255.253) $ set capability-graceful-restart enable
Site-30 (10.10.255.253) $ set link-down-failover enable
Site-30 (10.10.255.253) $ set soft-reconfiguration enable
Site-30 (10.10.255.253) $ set description "HUB1-VPN4"
Site-30 (10.10.255.253) $ set interface "HUB1-VPN4"
Site-30 (10.10.255.253) $ set remote-as 65000
Site-30 (10.10.255.253) $ set connect-timer 10
Site-30 (10.10.255.253) $ next
Site-30 (neighbor) $ edit "10.10.63.253"
Site-30 (10.10.63.253) $ set advertisement-interval 1
Site-30 (10.10.63.253) $ set capability-graceful-restart enable
Site-30 (10.10.63.253) $ set link-down-failover enable
Site-30 (10.10.63.253) $ set soft-reconfiguration enable
Site-30 (10.10.63.253) $ set description "HUB1-VPN1"
Site-30 (10.10.63.253) $ set interface "HUB1-VPN1"
Site-30 (10.10.63.253) $ set remote-as 65000
Site-30 (10.10.63.253) $ set connect-timer 10
Site-30 (10.10.63.253) $ next
Site-30 (neighbor) $ end
Site-30 (bgp) $ config redistribute "connected"
Site-30 (connected) $ set status enable
Site-30 (connected) $ set route-map "port2_only"
Site-30 (connected) $ end
Site-30 (bgp) $ end


---> generating verification report
(vdom root: vpn ipsec phase1-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: system sdwan health-check "HUB1_HC":members)
remote original: 0
to be installed:

<--- done generating verification report



------- Start to retry --------

Site-30 $ config vpn ipsec phase1-interface
Site-30 (phase1-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ unset proposal
Site-30 (HUB1-VPN1) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ unset proposal
Site-30 (HUB1-VPN2) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ unset proposal
Site-30 (HUB1-VPN3) $ next
Site-30 (phase1-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ unset proposal
Site-30 (HUB1-VPN4) $ next
Site-30 (phase1-interface) $ end
Site-30 $ config vpn ipsec phase2-interface
Site-30 (phase2-interface) $ edit "HUB1-VPN1"
Site-30 (HUB1-VPN1) $ unset proposal
Site-30 (HUB1-VPN1) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN2"
Site-30 (HUB1-VPN2) $ unset proposal
Site-30 (HUB1-VPN2) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN3"
Site-30 (HUB1-VPN3) $ unset proposal
Site-30 (HUB1-VPN3) $ next
Site-30 (phase2-interface) $ edit "HUB1-VPN4"
Site-30 (HUB1-VPN4) $ unset proposal
Site-30 (HUB1-VPN4) $ next
Site-30 (phase2-interface) $ end
Site-30 $ config system sdwan
Site-30 (sdwan) $ config health-check
Site-30 (health-check) $ edit "HUB1_HC"
Site-30 (HUB1_HC) $ unset members
Site-30 (HUB1_HC) $ next
Warning: health-check HUB1_HC does not have members. It may not work as expected.
Site-30 (health-check) $ end
Site-30 (sdwan) $ end


---> generating verification report
(vdom root: vpn ipsec phase1-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase1-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN1":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN2":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN3":proposal)
remote original: des-md5 des-sha1
to be installed:

(vdom root: vpn ipsec phase2-interface "HUB1-VPN4":proposal)
remote original: des-md5 des-sha1
to be installed:

<--- done generating verification report


install failed

mpapisetty · ‎08-07-2024

Hi @BinhDien ,

Which model of Fortigate is this? I have seen this issue happen when a certain model of Fortigate is yet to be supported fully by FortiManager. The issue as per the log is FortiManager is expecting the phase2-interface proposal to be unset, whereas the unset is not working when the verification report is being generated. FMG re-attempted to unset this, and still failed and hence the installation failed.

-Manoj Papisetty

View solution in original post

mpapisetty · ‎08-07-2024

Hi @BinhDien ,

Which model of Fortigate is this? I have seen this issue happen when a certain model of Fortigate is yet to be supported fully by FortiManager. The issue as per the log is FortiManager is expecting the phase2-interface proposal to be unset, whereas the unset is not working when the verification report is being generated. FMG re-attempted to unset this, and still failed and hence the installation failed.

-Manoj Papisetty

BinhDien · ‎08-07-2024

Hi @mpapisetty

Thank for your reply.

I use Fortigate and Fortimanager KVM for practice lab so I do not have a contract to support fully from Fortinet

I'll reconfigured phase2-interface before push configuration to Fortigate and I'll lets you know if the problem can resolve or not

BinhDien · ‎08-07-2024

I have reconfigured the phase2-interface proposal and it resolved

Because Fortigate with an evaluation license does not support the proposal created by Fortimanager. I have changed it and the pushing configuration is done.

Thank you very much!

Fortimanager: Verify state: install OK/verify FAIL

Nominate a Forum Post for Knowledge Article Creation