Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
malachykidd
New Contributor

Interface Validation failure on zone used for IPSec VPN -- cannot update policy

I have a new FortiManager (5.4.4) and FortiGate (81E, 5.4.5) deployment. The 81E was configured before it was added to FortiManager, and it has an IPSec VPN tunnel to a Juniper SSG firewall at a remote site. The 81E added to FortiManager without error.

 

On the 81E, the tunnel interface ("vpn_to_aa") is mapped to a dedicated VPN zone ("vpn-s2s"), and is the only interface in that zone.

 

When I attempt to apply an updated policy from FortiManager, I receive an error that vpn-s2s is unmapped and that I need to select a device interface. Re-selecting the VPN tunnel interface causes the error to loop.

 

Specifically, when I apply the policy using the Install Wizard, I receive the error, "The following ADOM interfaces have no mapping. All ADOM interfaces should be mapped before continue with installation," and I am presented with a line listing the Device Name, the Unmapped Interface, and a drop-down list box to select the Device Interface. (See https://ibb.co/d7xOMG)

 

Alternately, when I apply the policy using the "Re-install Policy" option, I receive a slightly different window / response.  The first window states "Zone Validation Failed" and offers a button for "Details." Clicking the Details button presents a window titled Validation Details, with a line "Device Name / Unmapped Interface / Device Interface" identical to the Install Wizard method. (See https://ibb.co/dHb6ab and https://ibb.co/n3EngG) This process eventually fails with Status "install and save finished status=FAILED," and the Install History reports "get-post-checksum fail." (See https://ibb.co/eCh7gG) In fact, it removed the vpn-s2s policies from the firewall and may have changed some phase-two settings for the IPSec tunnel.

 

We're migrating from Juniper SSG firewalls, and our standard configuration with SSG is to bind the VPN tunnel interfaces to a single zone, which allows us to maintain multiple VPN tunnels with a single set of policies referencing the zone. I would like to use a similar configuration with FortiGate.

 

I would really like to manage everything through VPN Manager, but I'm having difficulty making that work-- I'll address it in a separate post. In the meantime, we have many Juniper SSG firewalls deployed that we need to work with, as we replace them.

 

Any tips or suggestions about how to get FortiManager to play nice with custom IPSec tunnels-- assuming that's possible?

 

Thanks,

 

Justin

 

5 REPLIES 5
chall_FTNT
Staff
Staff

What does "Policy & Objects > Objects Configurations > Interfaces" menu show as the mapping for "vpn-s2s" for this FortiGate?

Chris Hall
Fortinet Technical Support
malachykidd

chall,

 

Per-Device Mappings shows "cdm-firewall-01 ( root :( vpn_to_aa,vpn_to_seas" and "dcc-firewall-01 ( root :( vpn_to_aa"

 

Justin

malachykidd

chall,

 

After reading a link (https://forum.fortinet.com/FindPost/150794) in a reply to another post, by heskez, I upgraded FortiManager to 5.6 and was able to successfully apply the policy to the device; it looks like my problem was part of the inability of 5.4 to work with non VPN Central Management tunnels.

 

Thank you for your reply.

 

Justin

chall_FTNT

I see.  So this for an ADOM in which you had enabled "Central VPN"?  In which case, that is true.  The restriction was lifted in FMG 5.6 to allow manual configuration of VPNs in a Central VPN ADOM.

Chris Hall
Fortinet Technical Support
scao_FTNT
Staff
Staff

not sure if you have enabled workspace function on your FMG?

Thanks

Simon

Labels
Top Kudoed Authors