Hi FortiGate admins
I have two hosts interconnected via a third party IPsec, separated by a FortiGate.
When I use no-inspection in the FG's firewall policy I have the tunnel comes up and working fine.
When I use certificate inspection it doesn't come up and I see the below logs on the host.
000066725 ERROR (t=2001779) isakmp_inf.c: ignore information because the message has no hash payload.
000066726 ERROR (t=2001784) isakmp_inf.c: ignore information because ISAKMP-SA has not been established yet.
000066726 ERROR (t=2001788) isakmp.c: phase1 negotiation failed due to time up. d4427a2432ce119a:529f737158a30be8
000066726 ERROR (t=2001790) isakmp.c: phase2 negotiation failed due to time up waiting for phase1. ESP 10.10.20.30->10.20.30.40
The certificate inspection profile I'm using allows all and doesn't block any kind of certificate. FG logs show no traffic blocked.
Any idea why this happens?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @AEK ,
Are you using the built-in certificate ?
Maybe a packet capture can tell you more about the certificates that are being exchanged and why is not happy.
Have you tried to extend the timeout ?
Hi dbu
Thanks for the advice.. Sure we need some deeper troubleshooting here. I'll try comeback with more info.
I'll do as well. Thanks dbu.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.