Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tomioka
New Contributor

Created on ‎04-25-2022 11:17 PM Edited on ‎04-25-2022 11:23 PM

IPsec aggregate with 2 WAN ISPs works but warning message remains

Hi community folks,

 

I'm currently trying to setup IPsec aggregate with 2 WAN ISP links.

 

After all the configuration(IPsec phase1-interface, phase2-interface, ipv4 policy, routes),

both IPsec tunnels comes up and actually it work perfectly as expected,

except the warning messages in GUI.

 

Do someone experienced same issues or any tips to erase these warning messages ?

 

===

Model: Fortigate-50E

FortiOS: v6.2.9 build1234 (GA) [* tried newest v6.2.10 build1263 (GA), but same]

Issues: Warning message remains in GUI

 

1. IPsec tunnels both up.

1.IPsecTunnels.png

 

 

 

 

 

 

 

2. IPsec aggregate members are both show as "Phase2 tunnel is not configured". (Strange)

2.IPsecTunnels_aggregate.png

 

 

 

 

 

 

 

3. IPsec aggregate interface shows LinkDown, but actually working. (Strange)

3.IPsecInterface_down.png

 

 

 

 

 

 

4. As a result interface LinkDown, related IPv4 Policy show warning, but actually working. (Strange) 

4.Policy_warning.png

 

 

 

 

 

 

 

 

 

===

 

Since I'm now working with test environment(without care support contract), I can't open TAC ticket so far.

 

Thanks,

Tomioka

 

Labels:
1512
0 Kudos
5 REPLIES 5
jintrah_FTNT
Staff
Staff

Created on ‎04-25-2022 11:51 PM

Hello,

 

Which browser are you using? Is this behavior seen on different browsers?

 

Best regards,

Jin

1460
0 Kudos
Tomioka
New Contributor
In response to jintrah_FTNT

Created on ‎04-25-2022 11:55 PM

Hello Jin,

 

I've checked with Firefox and Google chrome, but no luck.

 

Thanks,

Tomioka

1458
0 Kudos
jintrah_FTNT
Staff
Staff
In response to Tomioka

Created on ‎04-26-2022 12:08 AM

Hi Tomioka,

 

Thanks to check this from different browsers. The issue may be cosmetic and may be reported to support after gaining required contracts.

 

Best regards,

Jin

 

 

1456
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎04-26-2022 01:17 AM

Hey Tomioka,

you can also check for phase2 information via CLI.

You can refer to this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955
In particular the 'diagnose vpn tunnel list' command might be of use; the 'src x.x.x.x dst y.y.y.y' entries would indicate what P2 selectors there are and this might be missing if no P2 is established.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1452
0 Kudos
Tomioka
New Contributor
In response to Debbie_FTNT

Created on ‎04-26-2022 02:21 AM

Hello Debbie,

 

Thank you for the suggestion. I've checked the both tunnel.

It shows both status sa=1, looks fine for me...

 

 

FG50E # diagnose vpn tunnel list name AzureVWANph1A
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=AzureVWANph1A ver=2 serial=3 XXX.XXX.XXX.XXX:0->XXX.XXX.XXX.XXX:0 dst_mtu=1454
bound_if=33 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=10 ilast=5 olast=5 ad=/0
stat: rxp=5860 txp=7276 rxb=3004896 txb=594151
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=14004
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=AzureVWANph2A proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10001 type=00 soft=0 mtu=1390 expire=26055/0B replaywin=0
       seqno=27 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=26727/27000
  dec: spi=f372fdf6 esp=aes key=32 f9061937a795a90bdc23fdf95cd6312fd87e9fbc06296d8bcd6971d54a4XXXXX
       ah=sha1 key=20 e1dda2d640b383fdad20858458e06873d00XXXXX
  enc: spi=df67bb48 esp=aes key=32 ec2f5a2f355e116c30c9a67776b53577cf85c6484b96855f4b0e438afa6XXXXX
       ah=sha1 key=20 ce0dedc090d281e3513424e66bea307fb6aXXXXX
  dec:pkts/bytes=17/2756, enc:pkts/bytes=38/4912
run_tally=0

FG50E #


FG50E # diagnose vpn tunnel list name AzureVWANph1B
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=AzureVWANph1B ver=2 serial=4 XXX.XXX.XXX.XXX:0->XXX.XXX.XXX.XXX:0 dst_mtu=1454
bound_if=30 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/4608 options[1200]=frag-rfc  run_state=1 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=6 ilast=8 olast=8 ad=/0
stat: rxp=164 txp=0 rxb=42624 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=13770
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=AzureVWANph2B proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10000 type=00 soft=0 mtu=1390 expire=26647/0B replaywin=0
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=26731/27000
  dec: spi=f372fdf7 esp=aes key=32 e11422a64da2258840774dfa584d47e9da7f04157deb0e702c8aff01c08XXXXX
       ah=sha1 key=20 1ea87511a759bc1ca75f7cf22a9311d0a6fXXXXX
  enc: spi=146a657c esp=aes key=32 11064f035e143cba58d70a1349b18a50b30d64a41e3a9c2a581c4ed3867XXXXX
       ah=sha1 key=20 7bfbd88544c290d4e898fba281e65653c7eXXXXX
  dec:pkts/bytes=3/491, enc:pkts/bytes=0/0
run_tally=0

FG50E #

 

 

Thanks,

Tomioka

1448
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.