Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPsec Site-to-Site problem - request is on the queue

hello guys, I noticed a problem with my FG VPN with a Cisco Firewall.. Tunnel was down and it did not coming UP... In the debug i caught it: ike 0:VPN:VPN P2: IPsec SA connect 5> ike 0:VPN:VPN P2: using existing connection ike 0:VPN:VPN P2: config found ike 0:VPN: request is on the queue In the GUI, VPN, IPsec Monitor I saw the tunnel more than 44150 second UPs (uptime) I though it very weird... I changed the Peer of the VPN, and it " refreshed" ... I changed again to the correct peer, and it came up.. With seconds started... I think FG " locked" something... This is my version: v5.0,build0252 (GA Patch 5) Anyone has any idea? Thanks!
New Contributor

New Contributor

Hello Dimago, i want to setting up a site to multisites vpn with fortigate at the head office and another 2 offices with cisco firewall. can you tell me what type of vpn policy you have been using for setting the vpn. have you use policy base or route base policy. thanks
New Contributor

my firmware version 5 patch 5 i only see option to configure route base policy not policy base. on the gui also i only find option to enable vpn that' s it.
New Contributor

Silver, Well, I created phase 1 and Phase 2 by default, using the left menu VPN and after Auto Key (IKE). For sure, I did not see that option you said. If you give me a print maybe I can take a look. Diego
New Contributor

okay have you select interface mode while create phase 1 or what. have you configure two policy for each direction with only accept or have you create 1 policy as ipsec tunnel
Esteemed Contributor III

Do you have a route in place ? Did you do any diag debug flow diag debug app ike ? Where is your fortigate configs? Where is your cisco configs & show cmd outputs ? You can use this link for some ideals on the proper steps in a fgt lan2lan vpn t-shooting steps;




PCNSE NSE StrongSwan
New Contributor

Hello Experts,

i have the same problem. i mean during site to site vpn on 60 D. I configured in interface mode. all steps successfully configured, i mean, first phase 1, then phase 2 , then addresses i created for local lan and remote lan then 2 policies i created , one for local and one for remote, after that when i check in ipsec moniter. tunnel is not up. when i checked in log file of vpn. it says 'ipsec phase 1 negotiate success.' you can find the out puts in attachment. and in cli when i run the command "diag debug application ike 255.

it shows me the following out put.

ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: using existing connection ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: config found ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: IPsec SA connect 6> negotiating ike 0:Fuj_FCA_VPN:5446:FCA_IPSEC_VPN_P2.:5443: ISAKMP SA still negotiating, queuing quick-mode request ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: IPsec SA connect 6>



I need urgent help from experts please. this is my email address.

awaiting for your kind reply.


Hello Sohrab,


is it possible to post your configuration? or at least the vpn/policy/routing sections?

Johan Witters

Network & Security Engineer




Johan Witters Network & Security Engineer FCNSP V4/V5 BKM NV

Weird bug.. I had the same issue with the same error going to an AWS VPN connection.  I re-pointed the tunnel to a bad IP, saved, then pointed it back while watching the debug.  The connection dropped, the related policies were disabled, then when I pointed the tunnel back to the correct IP it reconnected and all policies enabled.  Since then everything is working great.  This tunnel has been up for about a month before this issue.  Another interesting thing is the "monitor" didn't fail over to the other redundant tunnel.  It's almost like this tunnel was locked up but the FW didn't know it failed to bring up the secondary.

Top Kudoed Authors