there are two firewalls: Fortigate 110C, IOS 4.0 MR2 and Fortigate 60D IOS: 5.4. both the tunnel of firewalls are UP. but I can't ping each other and got lots of alert msg: R-U-THERE and R-U-THERE-ACK.
pls advise how to move further.
from 110C
ike 0:MY-P1: link is idle 8 222.92.126.250->1.9.117.134:500 dpd=1 seqno=44475 ike 0:MY-P1:906744: send IKEv1 DPD probe, seqno 279669 ike 0:MY-P1:906744: sent IKE msg (R-U-THERE): 222.92.126.250:500->1.9.117.134:500, len=92 ike 0:MY-P1: link is idle 8 222.92.126.250->1.9.117.134:500 dpd=1 seqno=44475 ike 0:MY-P1:906744: send IKEv1 DPD probe, seqno 279669 ike 0:MY-P1:906744: sent IKE msg (R-U-THERE): 222.92.126.250:500->1.9.117.134:500, len=92 ike 0: comes 1.9.117.134:500->222.92.126.250:500,ifindex=8.... ike 0: IKEv1 exchange=Informational id=847f080348a96231/4802adf211fb59ab:2fe6f516 len=92 ike 0: found MY-P1 222.92.126.250 8 -> 1.9.117.134:500 ike 0:MY-P1:906744: notify msg received: R-U-THERE-ACK
from 60D
ike 0: comes 222.92.126.250:500->1.9.117.134:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=847f080348a96231/4802adf211fb59ab:5af73bf1 len=92 ike 0: in 847F080348A962314802ADF211FB59AB081005015AF73BF10000005C5CC75FC160786D7CBE17B4BD146942E21394CA5DFF627221003868E4945F69BD80854A38F865A7588CBC1FFFD21BF02DD4EE7B2C97029C7E0DBEE6243DF42F3D ike 0:MY-Suzhou:114270: dec 847F080348A962314802ADF211FB59AB081005015AF73BF10000005C0B000018656B601C1C88B2237E50EFC1DC9269F0E524758C000000200000000101108D28847F080348A962314802ADF211FB59AB0004447CCB4D3A73323DD907 ike 0:MY-Suzhou:114270: notify msg received: R-U-THERE ike 0:MY-Suzhou:114270: enc 847F080348A962314802ADF211FB59AB081005015E15509C000000540B000018E3B219911C189CD2E72087EF8CB516E6CC99F35D000000200000000101108D29847F080348A962314802ADF211FB59AB0004447C ike 0:MY-Suzhou:114270: out 847F080348A962314802ADF211FB59AB081005015E15509C0000005C245CE4F244895629BA9CBA816AA38B57D29F5639C89B8648B6563941A8A74A1058846A8103C096981DAB7E68F25D50C7F525D71A0425D736356E8FC361141B48 ike 0:MY-Suzhou:114270: sent IKE msg (R-U-THERE-ACK): 1.9.117.134:500->222.92.126.250:500, len=92, id=847f080348a96231/4802adf211fb59ab:5e15509c ike 0: comes 222.92.126.250:500->1.9.117.134:500,ifindex=6.... ike 0: IKEv1 exchange=Informational id=847f080348a96231/4802adf211fb59ab:b0d1fb4c len=92 ike 0: in 847F080348A962314802ADF211FB59AB08100501B0D1FB4C0000005C2AB1B16D73DAC356AF343B6129E164B13E08BC09628BC6E0B5733141ED6A1F084F6567C4434F20F354D9E4A5F5A7ABA62C73471215BF58FF235471C7236FC8D3 ike 0:MY-Suzhou:114270: dec 847F080348A962314802ADF211FB59AB08100501B0D1FB4C0000005C0B000018E1FE5FD0DF679343B831831A57564E5A697F4A9C000000200000000101108D28847F080348A962314802ADF211FB59AB0004447D7DBB2710414B6807 ike 0:MY-Suzhou:114270: notify msg received: R-U-THERE ike 0:MY-Suzhou:114270: enc 847F080348A962314802ADF211FB59AB08100501FD8D393E000000540B0000184A3CC979F90EE84ED1FC18A78D3F3BA53F0E31E3000000200000000101108D29847F080348A962314802ADF211FB59AB0004447D ike 0:MY-Suzhou:114270: out 847F080348A962314802ADF211FB59AB08100501FD8D393E0000005CCA326BAFAB6E2F4BF6B294E3A33B8C935CB6A3CC45D0A80ED968D082C3DEA9227C7D0B5B35AF386FA46BD562AAB21094B893FDFC30A292546A97613DE0E18FDA ike 0:MY-Suzhou:114270: sent IKE msg (R-U-THERE-ACK): 1.9.117.134:500->222.92.126.250:500, len=92, id=847f080348a96231/4802adf211fb59ab:fd8d393e
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
These messages are part of the DPD (dead peer detection) and as such not crucial for your problem.
If the policies are correct please check the phase2 subnets. If possible, post both here and we'll have a look.
hi,
the phase 2 of 60D
config vpn ipsec phase2-interface edit "MY-Suzhou" set phase1name "MY-Suzhou" set proposal aes128-sha1 set dhgrp 5 set keepalive enable set comments "VPN: MY-Suzhou (Created by VPN wizard)" set keylifeseconds 28800 set src-subnet 10.200.64.0 255.255.254.0 set dst-subnet 10.198.96.0 255.255.252.0 next end
phase 2 of 110c
---------
config vpn ipsec phase2-interface edit "MY-P2" set keepalive enable set phase1name "MY-P1" set proposal aes128-sha1 set dst-subnet 10.200.64.0 255.255.254.0 set keylifeseconds 28800 set src-subnet 10.198.96.0 255.255.252.0 next end
Hi,
is the info enough to find out the issue? pls help, thanks in advance!!!!!!!!!!
hi,
oh, after 1 week, nobody answer my question. did i buy a wrong firewall?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.