Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
woytass
New Contributor

IPSEC ISAKMP SA still negotiating

Hi, I have problem with IPSec. I have 3 locations. Both of them are working well. On the third location i have the same settings but tunnel can' t be established. Phase 1 are ok in log but next:
 IPsec SA connect 4 x.x.x.x->x.x.x.x:0
 using existing connection
 config found
 IPsec SA connect 4 x.x.x.x->x.x.x.x:500 negotiating
 ISAKMP SA still negotiating, queuing quick-mode request
 
3 REPLIES 3
emnoc
Esteemed Contributor III

ISAKMP SA still negotiating, queuing quick-mode request
Suggestion: Are you sure NAT-T is not an issues or needs to be enabled at the third location.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
woytass
New Contributor

I tried with nat enable and nat disable - same error.
emnoc
Esteemed Contributor III

When you mean NAT enable/disable this nat-t under your phase1 ipsec configuration? Also on the branch that' s not working, have you double and triple checked the configuration? lastly, I would start some diags on that branch. You can use this blog that I created http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html And concentrate on phase1 diagnostics 1st diag debug app ike filter name " phase1-name" diag debug app ike -1 diag debug enable A packet capture on the wan interface would also be helpful to ensure packets are being sent and received for the 2 ike-gateways diag sniffer packet wan1 " port 500 or 4500" Place the correct vpn-uplink interface WAN1 WAN2 etc.... Make sure that interface is configured in your phase1 configuration.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors