Hi, Everyone. I've two FortiGate firewalls (200E,40F0). I created an IPsec tunnel between the two of them . after some days tunnel goes down and never back again. I must Delete the tunnel on both devices and create again new tunnel. I check my Internet connection is ok. when I debug the out of IPsec its show Request on The queue and negotiation timeout
I follow the Fortigate cookbook for creating IPsec Tunnel. I created phase1, phase2, two policies, and a static route.
FortiGate 200E has v6.4.7 build1911 (GA)
Fortigate 40F has v6.4.5 build1828 (GA)
===================Debug output=====================
this the diagnose debug application ike -1
tcci # diagnose debug enable
tcci # ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:13: negotiation timeout, deleting ike 0:airport: connection expiring due to phase1 down ike 0:airport: deleting ike 0:airport: deleted ike 0:airport: schedule auto-negotiate ike shrank heap by 159744 bytes ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: config found ike 0:airport: created connection: 0x141412f0 17 xxx.xxx.43.114->xxx.xxx.185.68:500. ike 0:airport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:500 negotiating ike 0:airport: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200 0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6 A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047 E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3 20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E ike 0:airport:14: sent IKE msg (SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000 ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200 0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6 A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047 E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3 20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000 ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200 0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6 A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047 E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3 20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000 ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200 0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6 A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047 E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3 20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000 ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue ike 0:airport:14: negotiation timeout, deleting ike 0:airport: connection expiring due to phase1 down ike 0:airport: deleting ike 0:airport: deleted ike 0:airport: schedule auto-negotiate ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: config found ike 0:airport: created connection: 0x141412f0 17 xxx.xxx.43.114->xxx.xxx.185.68:500. ike 0:airport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:500 negotiating ike 0:airport: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation ike 0:airport:15: out C055F5FE2DBDE3970000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200 0005030000080300000C0000000804000005280000C80005000032476C8A821988F89B3A9DC1B03DB7A85AA02C1AA1811177B275B788219C3CB475330DB57CDEA601969222 E5FDDDA83989644EC5007BD5E5214A69DFBF423239343CA6019D17528EF5EC6A114E87A40B30236D0BDDB6F1379D72A5C9A75D58C990E8F71926FD49EAC71AD2DEE11D0956 F22F7CD8B7855D5B67C043FDF71347EC951652F10379C4163B14474D79EAE2E2421E1E1E76EF977BE5B392648831A84E446761BFD1451754D17494FFFA78980043C4F18B5B 0DC001F4C9E592B8FA5A1B29000024E3C3F8E36F1F53895DB965DF4A9BB51B30A8081ABFE5631FB2F6AB198F6C9E85000000080000402E ike 0:airport:15: sent IKE msg (SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=c055f5fe2dbde397/0000000000000000 tcci # ike 0:airport:15: out C055F5FE2DBDE3970000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E00800300 000802000005030000080300000C0000000804000005280000C80005000032476C8A821988F89B3A9DC1B03DB7A85AA02C1AA1811177B275B788219C3CB475330DB57CDEA6 01969222E5FDDDA83989644EC5007BD5E5214A69DFBF423239343CA6019D17528EF5EC6A114E87A40B30236D0BDDB6F1379D72A5C9A75D58C990E8F71926FD49EAC71AD2DE E11D0956F22F7CD8B7855D5B67C043FDF71347EC951652F10379C4163B14474D79EAE2E2421E1E1E76EF977BE5B392648831A84E446761BFD1451754D17494FFFA78980043 C4F18B5B0DC001F4C9E592B8FA5A1B29000024E3C3F8E36F1F53895DB965DF4A9BB51B30A8081ABFE5631FB2F6AB198F6C9E85000000080000402E ike 0:airport:15: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=c055f5fe2dbde397/0000000000000000 tcci # diagnose deike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0 ike 0:airport:lan-acc-aiport: using existing connection ike 0:airport:lan-acc-aiport: config found ike 0:airport: request is on the queue
========IPsec Configuration Phase1 ================
tcci # show vpn ipsec phase1-interface airport config vpn ipsec phase1-interface edit "airport" set interface "wan1" set ike-version 2 set local-gw xxx.xxx.43.114 set peertype any set net-device disable set proposal aes128-sha256 set dhgrp 5 set nattraversal disable set remote-gw xxx.xxx.185.68 set psksecret ENC next end
config vpn ipsec phase1-interface edit "tcci" set interface "wan" set ike-version 2 set local-gw xxx.xxx.185.68 set peertype any set net-device disable set proposal aes128-sha256 set dhgrp 5 set nattraversal disable set remote-gw xxx.xxx.43.114 set psksecret ENC next end
======================Sniffer packets====================
tcci # diagnose sniffer packet any "host xxx.xxx.185.68" interfaces=[any] filters=[host xxx.xxx.185.68] 2.403202 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 2.429283 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 8.406283 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 8.431885 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 20.406906 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 20.440803 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 30.404825 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 30.460290 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 33.407891 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 33.429407 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 39.403850 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320 39.425268 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304 12 packets received by filter 0 packets dropped by kernel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Try removing "local-gw" config. The IP you put in is not local.
Wait, it's local. But the purpose for this command is different. You shouldn't need it there. Then run the same debug on the other end. The ike debug you showed is not showing any receiving IKE messages.
Hi Toshi Esumi
I remove the local gateway and the result is the same as the before
This output belongs to the other side (FortiGate 40F)
tcci-Airport # config vdom
tcci-Airport (vdom) # edit root current vf=root:0
tcci-Airport (root) # tcci-Airport (root) # tcci-Airport (root) # tcci-Airport (root) # tcci-Airport (root) # tcci-Airport (root) # diagnose debug application ike -1 Debug messages will be on for 30 minutes. ike 0:f24a8652e7e9e4e1/0000000000000000:1100: responder received SA_INIT msg ike 0:f24a8652e7e9e4e1/0000000000000000:1100: received notify type FRAGMENTATION_SUPPORTED ike 0:f24a8652e7e9e4e1/0000000000000000:1100: incoming proposal: ike 0:f24a8652e7e9e4e1/0000000000000000:1100: proposal id = 1: ike 0:f24a8652e7e9e4e1/0000000000000000:1100: protocol = IKEv2: ike 0:f24a8652e7e9e4e1/0000000000000000:1100: encapsulation = IKEv2/none ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=ENCR, val=3DES_CBC ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=PRF, val=PRF_HMAC_SHA ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=DH_GROUP, val=ECP384. ike 0:f24a8652e7e9e4e1/0000000000000000:1100: matched proposal id 1 ike 0:f24a8652e7e9e4e1/0000000000000000:1100: proposal id = 1: ike 0:f24a8652e7e9e4e1/0000000000000000:1100: protocol = IKEv2: ike 0:f24a8652e7e9e4e1/0000000000000000:1100: encapsulation = IKEv2/none ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=ENCR, val=3DES_CBC ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=INTEGR, val=AUTH_HMAC_SHA_96 ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=PRF, val=PRF_HMAC_SHA ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=DH_GROUP, val=ECP384. ike 0:f24a8652e7e9e4e1/0000000000000000:1100: lifetime=86400 ike 0:f24a8652e7e9e4e1/0000000000000000:1100: SA proposal chosen, matched gateway tcci ike 0:tcci: created connection: 0x1457df10 5 xxx.xxx.185.68->xxx.xxx.4.114:500. ike 0:tcci:1100: processing notify type FRAGMENTATION_SUPPORTED ike 0:tcci:1100: responder preparing SA_INIT msg ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000 30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858 27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211 5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E ike 0:tcci:1100: sent IKE msg (SA_INIT_RESPONSE): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/ 49082e6cceeb65f0 ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ei 24:65BCD9274CAF8B780FDBE8C32F42C4E6898F112EE7939532 ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_er 24:32695CA2AFEE8EC98BEBF834B6973F85A2CBC3EF2455437C ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ai 20:B0F00910680E144D1D0BD977813D4C075F605BCC ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ar 20:344EE467F3B0F5133EF10F089CB8E603A9DCE7E0 ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5.... ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220 ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020 0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E ike 0:tcci:1100: detected retransmit, resend last message ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000 30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858 27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211 5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e 6cceeb65f0 ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5.... ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220 ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020 0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E ike 0:tcci:1100: detected retransmit, resend last message ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000 30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858 27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211 5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e 6cceeb65f0 ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 1: comes 81.7.3.167:500->192.168.230.1:500,ifindex=17.... ike 1: IKEv1 exchange=Informational id=3d6287aad87551e3/acf75414b3332a0e:0710e2a9 len=92 ike 1: in 3D6287AAD87551E3ACF75414B3332A0E081005010710E2A90000005C7E1F604937D71228B4F48B2607D84187D5EAE1930582C0BD891 D5662DD7CF9768AA6574542C36A7D38E6E53CC28A1459BD28FF2E31637BB13106F214D3351B29 ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5.... ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220 ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020 0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E ike 0:tcci:1100: detected retransmit, resend last message ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000 30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858 27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211 5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e 6cceeb65f0 ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0 ike 0:tcci:airport-acc-lan: using existing connection ike 0:tcci:airport-acc-lan: config found ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating ike 0:tcci:1100: negotiation timeout, deleting ike 0:tcci: connection expiring due to phase1 down ike 0:tcci: deleting ike 0:tcci: deleted ike 0:tcci: schedule auto-negotiate ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5.... ike 0: IKEv2 exchange=SA_INIT id=e690cff4228b72b7/0000000000000000 len=220
I would blame either, or both, side of ISPs because the response to SA_INIT doesn't seem to be reaching the other end, and it's retransmitting. I'm not sure why it comes up when you deconfigure/reconfigure the IPSec.
I would run the same debugging on both ends when you reconfigure it and comes up. Then after that, I wouldn't have any more way to debug so would open a ticket at TAC to get it looked at another sets of eyes.
Wait a minute. You configured aes128-sha254 then the 40F received 3des-sha384. Do you have different set of IPsec configured on the 200E? Or another device under the same IP trying to establish a tunnel to 40F? Something is fishy in your environment.
Just for the test, I changed the encryption algorithm. both sides are using the same encryption and Authentication.
I Know My ISP doesn't have a problem. Because I have another Fortigate 40F(same firmware ) and created multi IPsec connection with other branches and Everything works fine. on The FortiGate 200E, I've two other IPsec connections, one of them is connecting to a Wifi link to another site and an IPsec connection is established(Fortigate-to-FortiGate), and another is connecting via my ISP to other branches (Fortigate to Mikrotik).
Hi Toshiesumi
I Solved My problem. Actually, SSL VPN was configured to listen to port TCP 500, and I changed This port number, and the problem was solved.
Thnx for responding
I have a little bit idea of it. But I would like to learn more. Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.