Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
betodejj
New Contributor II

IPsec VPN - Duplicated Phase 2 Selectors

Hi Community,

 

We have 2 IPsec Tunnels (Tunnel 10 and Tunnel 20) between Fortigates (Remote and Concentrator) with only 1 Phase 2 Selector configured and auto-negotiate disabled. Both tunnels are working as expected where we have connectivity from both sides. 

 

Tunnel 10 is presenting 2 Phase-2 Selectors via GUI und CLI, where the first Phase-2  is UP and the second one is DOWN. We have already deleted the entire Phase 2 Interface and reconfigured it, restarted the entire cluster (A-P) and nothing helps.

 

We really don´t understand why there are 2 Phase Selectors in a scenario where we have only 1 configured, please any idea how to troubleshooting and solve this issue?

 

FortiOS 6.4.11 and keep in mind that Tunnel 20 with the same setup in the same device has not this issue and we have several others FGT with the same setup and also not presenting this issue. 

 

I really appreciate any comments, thank you!

FortiGate 

tks
tks
1 Solution
betodejj
New Contributor II

Problem solved! Destination Address mismatch between FGTs where we had x.x.x.0 instead x.x.x.128, so FGT Remote set the original Phase 2 Selectors DOWN creating automatically another Phase 2 Selector excluding the wrong network. Adjusting the object automatically Phase 2 Selectors were adjusted having only one there!

tks

View solution in original post

tks
1 REPLY 1
betodejj
New Contributor II

Problem solved! Destination Address mismatch between FGTs where we had x.x.x.0 instead x.x.x.128, so FGT Remote set the original Phase 2 Selectors DOWN creating automatically another Phase 2 Selector excluding the wrong network. Adjusting the object automatically Phase 2 Selectors were adjusted having only one there!

tks
tks
Top Kudoed Authors