Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

IPsec phase1 negotiation failes due to certificate inspection

Hi FortiGate admins

I have two hosts interconnected via a third party IPsec, separated by a FortiGate.

When I use no-inspection in the FG's firewall policy I have the tunnel comes up and working fine.

When I use certificate inspection it doesn't come up and I see the below logs on the host.

000066725 ERROR (t=2001779) isakmp_inf.c: ignore information because the message has no hash payload.
000066726 ERROR (t=2001784) isakmp_inf.c: ignore information because ISAKMP-SA has not been established yet.
000066726 ERROR (t=2001788) isakmp.c: phase1 negotiation failed due to time up. d4427a2432ce119a:529f737158a30be8
000066726 ERROR (t=2001790) isakmp.c: phase2 negotiation failed due to time up waiting for phase1. ESP 10.10.20.30->10.20.30.40

The certificate inspection profile I'm using allows all and doesn't block any kind of certificate. FG logs show no traffic blocked.

Any idea why this happens?

AEK
AEK
4 REPLIES 4
dbu
Staff
Staff

Hi @AEK ,

Are you using the built-in  certificate ?

Maybe a packet capture can tell you more about the certificates that are being exchanged and why is not happy. 

Have you tried to extend the timeout ? 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
AEK

Hi dbu

Thanks for the advice.. Sure we need some deeper troubleshooting here. I'll try comeback with more info.

AEK
AEK
hbac
Staff
Staff

Hi @AEK,

 

Have you checked Security Events > SSL logs? 

 

Regards,

AEK

I'll do as well. Thanks dbu.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors