Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
qmars
New Contributor

IPsec tunnel phase 1 connection problem between 2 Fortigate 100E : no suitable IKE_SA

Hello everyone,

We have 2 Wan in each DC and run 2 Ipsec tunnel between them. The configuration are exactly the same and the tunnel on Wan2 is working fine but the tunnel on Wan1 is down. I chacked all the setting in both DC and compare them with the second tunnel, no difference. 

The VPN between 89.202.64.10 and 88.84.138.2 does not start. What we checked until know: * both IPs are pingable from the internet and from / to each other * we run other VPNs on these IPs (to the other DC) * they are part of our SD-WAN to the internet For us the IP's are fine. Then we traced IKE traffic (port 500) between the 2 IP's. we just see outgoing traffic from both IPs as initiators to the other IP. But the traffic does not arrive on the other IP! We cross-checked with the other IPs in the same DCs (89.202.64.14 and 88.84.138.6) and here we see in- and outgoing traffic. There is permantly ongoing IKE traffic on port 500 so you can trace where it ends.

Attached I make pdf file of all of the configs on both sides and also the result of some debug commands.

I can see this message as an error in the debug:

no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

 

Many thanks for your help and support

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors