- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Ipsec site-to-site: Intermittent communication on ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ipsec site-to-site: Intermittent communication on some networks
Hello,
I'm having a problem with a site-to-site IPsec connection that I'm not able to identify. I've implemented Fortigate(7.0.8) recently, my tunnel with checkpoint is up.
I surrender my network 192.168.0.0/16
For the remote network there are 5 networks 172.22.100.0/24, 10.91.1.0/24, 10.20.4.0/24, 172.18.10.0/24 and 172.18.222.0/24
(IPs changed from the real ones)
I created a nammed address with these networks and declared the group for the remote network and local network in the IPsec tunnel.
All settings are the same on both ends. The connection is established in two phases.
But intermittently, the remote network does not reach my network 192.168.2.0/24 (which is within my /16 network). And nothing arrives in the fortigate log either.
I can reach all remote networks.
In Events, I have several messages like
Action: Error
Status: esp_error
Mensage: IPsec ESP
Error Number: Received ESP packet with unknown SPI.
Action: Negotiate
Status: failure
Mensage: Progress IPsec phase 2
# diagnose vpn tunnel list name VPN-Checkpoint
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN-Checkpoint ver=1 serial=8 myPeer:0->peerCheckpoint:0 tun_id=peerCheckpoint tun_id6=::peerCheckpoint dst_mtu=1500 dpd-link=on weight=1
bound_if=36 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=5 ilast=0 olast=0 ad=/0
stat: rxp=243142 txp=347748 rxb=262802112 txb=65092694
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=15
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN-Checkpoint proto=0 sa=4 ref=161 serial=8 auto-negotiate
src: 0:192.168.0.0-192.168.255.255:0
dst: 0:172.22.100.0-172.22.100.255:0 0:10.91.1.0-10.91.1.255:0 0:10.20.4.0-10.20.4.255:0 0:172.18.10.0-172.18.10.255:0 0:172.18.222.0-172.18.222.255:0
SA: ref=6 options=18027 type=00 soft=0 mtu=1438 expire=3281/0B replaywin=2048
seqno=d5b esn=0 replaywin_lastseq=00000240 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3330/3600
dec: spi=f4b4e39b esp=aes key=32 1b360d5d9567674c3db25ee972bb3f957d28e20f5783abf1aee164a103feaa7c
ah=sha256 key=32 5cc80de75fe6e2adfda3651ac5e35f41433e176ba43697039eafea058e759052
enc: spi=e86ad075 esp=aes key=32 732da87208f254634f62b64f20197e2dc156e042de9bdedf5dd6a6c285bac052
ah=sha256 key=32 9f3d3acea3d980e47432ce5c553d3047f7457afdb46f91c2e5cd0cfc0d866474
dec:pkts/bytes=576/15506, enc:pkts/bytes=5664/437638
npu_flag=03 npu_rgwy=peerCheckpoint npu_lgwy=myPeer npu_selid=19 dec_npuid=1 enc_npuid=1
SA: ref=4 options=18027 type=00 soft=0 mtu=1438 expire=3281/0B replaywin=2048
seqno=407 esn=0 replaywin_lastseq=00000240 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3330/3600
dec: spi=f4b4e39a esp=aes key=32 5589095946ff49b077ebc1ced6949ddf5e25cfe1c14723d8b6d6de3a0debd308
ah=sha256 key=32 7b83baf6ec0e84402ab2ba633b488f27bf8ce513e35281c96101e1db40997bfc
enc: spi=f910ad5a esp=aes key=32 adcc73cd49584941932dbeca95fde11265369274a996c1936813335df79b9411
ah=sha256 key=32 e90cc7354d8bf15440a107d5640047dd5de001224bcebbb7fc28ee30f8649b82
dec:pkts/bytes=576/16224, enc:pkts/bytes=12/1097
npu_flag=02 npu_rgwy=peerCheckpoint npu_lgwy=myPeer npu_selid=19 dec_npuid=1 enc_npuid=1
SA: ref=4 options=18027 type=00 soft=0 mtu=1438 expire=3283/0B replaywin=2048
seqno=404 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3332/3600
dec: spi=f4b4e399 esp=aes key=32 edc24506f9964949993a6d017dc983c2fde158af2c8ee07040519d4613739ee8
ah=sha256 key=32 352846c4ef25a1987937cc60c51fb95b209ef3f46faea5361d31dff82b5471c8
enc: spi=3b61e47a esp=aes key=32 2d5b5397ff09c482905da25a7492ddf125caa817140d0f367b6b057094e00a94
ah=sha256 key=32 b73bc4ce2bf133062d564b4c6b65dadc523f6d995cdaf3995a695e5b69ce7760
dec:pkts/bytes=0/0, enc:pkts/bytes=6/472
npu_flag=02 npu_rgwy=peerCheckpoint npu_lgwy=myPeer npu_selid=19 dec_npuid=1 enc_npuid=1
SA: ref=4 options=18027 type=00 soft=0 mtu=1438 expire=3278/0B replaywin=2048
seqno=503 esn=0 replaywin_lastseq=00000240 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3333/3600
dec: spi=f4b4e398 esp=aes key=32 102763d4387421c519ee117917eceb3688054c8be72f9742263eee68b9156760
ah=sha256 key=32 3e04332d4c28ea68ef924f6538de57e2a61e2311598fbf3a63c19072d33b4474
enc: spi=45d082c7 esp=aes key=32 c4026717653581f89888f366d543ff41d90c0e20e5f9d299748d9ee55f0ea084
ah=sha256 key=32 b8967db65513569c89069539f94cbcec2b730bdf19346658689b9ab679e6609d
dec:pkts/bytes=576/1064476, enc:pkts/bytes=516/60936
npu_flag=02 npu_rgwy=peerCheckpoint npu_lgwy=myPeer npu_selid=19 dec_npuid=1 enc_npuid=1
run_tally=0
--
# diagnose vpn ike log-filter clear
# diagnose vpn ike log-filter dst-addr4 peerCheckpoint
# diagnose debug application ike -1
Debug messages will be on for 30 minutes.
# diagnose debug enable
ike 0: unknown SPI f4b4e154 36 peerCheckpoint:0->myPeer
ike 0: found VPN-Checkpoint myPeer 36 -> peerCheckpoint:500
ike 0:VPN-Checkpoint: send HA sync query SA: f4b4e154
ike 0:VPN-Checkpoint:28982: send INVALID-SPI f4b4e154
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC081005018EC8541A000000500B0000244379B9AE7BEDF2E9D4FCE77C673BD3A4CE72EED76E733F3C44F94127B23850B100000010000000010304000BF4B4E154
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC081005018EC8541A0000005C63A75F300BCA0C069166473BF2A9A186A852FE0E01FD8E026A65DCD21E686B7D87DFCAF1185D108A51DDB65EB181CEEFE67FAC300D9F16BF80FA3BBC9EA6FD57
ike 0:VPN-Checkpoint:28982: sent IKE msg (INVALID-SPI): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:8ec8541a
ike 0: unknown SPI f4b4e154 36 peerCheckpoint:0->myPeer
ike 0: found VPN-Checkpoint myPeer 36 -> peerCheckpoint:500
ike 0:VPN-Checkpoint: send HA sync query SA: f4b4e154
ike 0:VPN-Checkpoint:28982: send INVALID-SPI f4b4e154
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC08100501022A59A9000000500B000024CD1D3C254C14302725ED2F2D1A201370CD32A31C0D81959A97F30F13AD1C066C00000010000000010304000BF4B4E154
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC08100501022A59A90000005C76FF1E579A30F8320E7A8B0C6629A376D40EF1B561F42F1ECEA8362246CCEEE7421008B2A1103FF2762EA388A66090A55265AEAF3EB0E4741E59EF4ED3945923
ike 0:VPN-Checkpoint:28982: sent IKE msg (INVALID-SPI): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:022a59a9
ike 0: unknown SPI f4b4e154 36 peerCheckpoint:0->myPeer
ike 0: found VPN-Checkpoint myPeer 36 -> peerCheckpoint:500
ike 0:VPN-Checkpoint: send HA sync query SA: f4b4e154
ike 0:VPN-Checkpoint:28982: send INVALID-SPI f4b4e154
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC081005019718C986000000500B000024679E3785ACAC22910F018E2058948E6C2193E0AC70BD476024B4D8AC7AEAC5AE00000010000000010304000BF4B4E154
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC081005019718C9860000005CC2DAF81DDDB5990F88F52E4803DF136C53D660AB8CE49CCC064DFE9C903E05B23E6447039C466C6B75FF673E70292A4F6DBD8F4AA71605F5F05E9BBC2DA4156D
ike 0:VPN-Checkpoint:28982: sent IKE msg (INVALID-SPI): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:9718c986
ike 0: unknown SPI f4b4e154 36 peerCheckpoint:0->myPeer
ike 0: found VPN-Checkpoint myPeer 36 -> peerCheckpoint:500
ike 0:VPN-Checkpoint: send HA sync query SA: f4b4e154
ike 0:VPN-Checkpoint:28982: send INVALID-SPI f4b4e154
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC0810050140E41DC2000000500B0000240B12B14B6480890C5791B5AE99D9DFE3EB03AC74175CABAE5A903B974ADF7C4B00000010000000010304000BF4B4E154
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC0810050140E41DC20000005C8A7A310337A1DBE047ECA2A831DB1BF17723B82A00DEC8F3724AB3CB52DBF6668C4DC2B9D4629416DC4812CC38A28A95CA97964197B1E5362661F900C5D787C5
ike 0:VPN-Checkpoint:28982: sent IKE msg (INVALID-SPI): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:40e41dc2
ike 0: unknown SPI f4b4e154 36 peerCheckpoint:0->myPeer
ike 0: found VPN-Checkpoint myPeer 36 -> peerCheckpoint:500
ike 0:VPN-Checkpoint: send HA sync query SA: f4b4e154
ike 0:VPN-Checkpoint:28982: send INVALID-SPI f4b4e154
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC0810050129C84042000000500B000024E93BD244845460E7D1984B5A53C38AE8F92FAC9EF0D87FB47F89E2C9B63A996800000010000000010304000BF4B4E154
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC0810050129C840420000005C73C6F6C4DB4A8874EE01D6DCFCBFEFCF91DF3D52655489B5C53FBD386BBBB66E78612A6E811986805818EF3E439BCE6A803EC91E79DF6D92C86CE80D5E6B91EA
ike 0:VPN-Checkpoint:28982: sent IKE msg (INVALID-SPI): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:29c84042
ike 0: comes peerCheckpoint:500->myPeer:500,ifindex=36,vrf=0....
ike 0: IKEv1 exchange=Quick id=50c67fe1e39ec35f/5b8f1f8516d578bc:ed0dd711 len=188 vrf=0
ike 0: in 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD711000000BCF0A42CB4FA97486FE5E8DB58EC1AEA606A1913DE6BDC19B3546DEFD340728E62D0AFAD872C7C28C55B08B4AC813647E6803E29FA1082AF0EF496D650CCF9EAC6C18004817DDEF172089739934EA68906AB34E060DE03BAD2354CF3C9756E85DD3CE1D58041934CA4BCB84B90E1FA29E078E13E20595318AD84B3A525884CD0AF75EF577DA50BEC950B5D693D89CC0202D2DD6EFD349E5A58F3712D68BDBD6C07
ike 0:VPN-Checkpoint:28982:1179591: responder received first quick-mode message
ike 0:VPN-Checkpoint:28982: dec 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD711000000BC01000024AA786573A1129639551C4B559ABF18B077FF477C0681E1E9E3C47B81194E73FF0A00003800000001000000010000002C01030401CF098D1200000020010C0000800100010002000400000E1080050005800400018006010005000018188D14F44B3753E6F58B78FDC996FEB1F005E74E0500001004000000AC124E00FFFFFF0000000010040000000A010000FFFF000000000000000000000000000B
ike 0:VPN-Checkpoint:28982:1179591: peer proposal is: peer:0:172.22.100.0-172.22.100.255:0, me:0:192.168.0.0-192.168.255.255:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: trying
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: matched phase2
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: autokey
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: my proposal:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: proposal id = 1:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: protocol id = IPSEC_ESP:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: incoming proposal:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: proposal id = 1:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: protocol id = IPSEC_ESP:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: negotiation result
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: proposal id = 1:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: protocol id = IPSEC_ESP:
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: trans_id = ESP_AES_CBC (key_len = 256)
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: type = AUTH_ALG, val=SHA2_256
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: using tunnel mode.
ike 0:VPN-Checkpoint: schedule auto-negotiate
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: replay protection enabled
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: SA life soft seconds=3332.
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: SA life hard seconds=3600.
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: IPsec SA selectors #src=1 #dst=5
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: src 0 4 0:192.168.0.0/255.255.0.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: dst 0 4 0:172.22.100.0/255.255.255.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: dst 1 4 0:10.91.1.0/255.255.255.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: dst 2 4 0:10.20.4.0/255.255.255.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: dst 3 4 0:172.18.10.0/255.255.255.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: dst 4 4 0:172.18.222.0/255.255.255.0:0
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: add IPsec SA: SPIs=f4b4e43c/cf098d12
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: IPsec SA dec spi f4b4e43c key 32:1A19B15E8D36C303390A39CE5D0813974912E25C9E5FA5A33ACE8218E65AA62F auth 32:45180E3611CA719BA17CC7204A98A83F116C5F5DB57A170A2501D8D6BAF700DF
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: IPsec SA enc spi cf098d12 key 32:4EE171D70D879DDE824CA5F0422DDF8E896FE597618FF98124F4156A80293570 auth 32:E8999EBA7C94D2F9415E8CF7C20CB61C857D839D8F32E9910A283A16795D8882
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: added IPsec SA: SPIs=f4b4e43c/cf098d12
ike 0:VPN-Checkpoint: HA send IKE connection add myPeer->peerCheckpoint
ike 0:VPN-Checkpoint:28982: HA send IKE SA add 50c67fe1e39ec35f/5b8f1f8516d578bc
ike 0:VPN-Checkpoint:28982: HA send IKE SA add 50c67fe1e39ec35f/5b8f1f8516d578bc
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD711000000AC010000245ADC848C30A1660FB8320CF90863BF1E093FA11A783AE5ACB59232423120A5490A00003800000001000000010000002C01030401F4B4E43C00000020010C0000800100010002000400000E1080050005800400018006010005000014E8311475481FA4FDEEE5B097E0DE9D670500001004000000AC124E00FFFFFF0000000010040000000A010000FFFF0000
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD711000000BC040DF142806F83CE1BEF05606F7DC0589539A9B87EF8824E23F992E6236EA55D21142301314CE70F16C54466930CEF47A9B1F49B9ABB72F98C2F50147E8118FAE8CA272DC17CF4B180D6C733E41A311BAC6490280FD3B8ABAC6DECA21A2387A5BED5DA7CD9508CC15AFA0626BB4F0ED367C90579FD9B19B9E71BF2EC561BDB2473D34F267BF0B9A75F61AFCDB62E9B0E009238E75199A51CD062A005BE5F43F2
ike 0:VPN-Checkpoint:28982: sent IKE msg (quick_r1send): myPeer:500->peerCheckpoint:500, len=188, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:ed0dd711
ike 0:VPN-Checkpoint: IPsec SA c2f19fa9/f4b4e438 hard expired 36 myPeer->peerCheckpoint:0 SA count 3 of 3
ike 0:VPN-Checkpoint: IPsec SA f4b4e438 delete failed: 2
ike 0:VPN-Checkpoint:28982: send IPsec SA delete, spi f4b4e438
ike 0:VPN-Checkpoint:28982: enc 50C67FE1E39EC35F5B8F1F8516D578BC08100501C67D1DF5000000500C000024064CE45EBC967BE6AFCEB5ED1CA3C7CA3557FE4076CB2723CE1D1E213EB85B84000000100000000103040001F4B4E438
ike 0:VPN-Checkpoint:28982: out 50C67FE1E39EC35F5B8F1F8516D578BC08100501C67D1DF50000005C2B0287BF9DB5F31CA008096E798794131501005E2890E1879101D69567424B139C2A49DA5F078D5EECA389DDF7EB5644F97103B382D72D2F742FA3AC05658E33
ike 0:VPN-Checkpoint:28982: sent IKE msg (IPsec SA_DELETE-NOTIFY): myPeer:500->peerCheckpoint:500, len=92, vrf=0, id=50c67fe1e39ec35f/5b8f1f8516d578bc:c67d1df5
ike 0: comes peerCheckpoint:500->myPeer:500,ifindex=36,vrf=0....
ike 0: IKEv1 exchange=Quick id=50c67fe1e39ec35f/5b8f1f8516d578bc:ed0dd711 len=76 vrf=0
ike 0: in 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD7110000004C035CE893C2CFAA919E997899733C175D34ADFCF23FB149C4618975003F82CF9774365D2CF014164A4A879074BC1892B5
ike 0:VPN-Checkpoint:28982: dec 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD7110000004C0000002443E6E405F7EA760C3185AC546FAC19518FB83448991A70F4FEBB4F1963361DC900000000000000000000000B
ike 0:VPN-Checkpoint:VPN-Checkpoint:1179591: send SA_DONE SPI 0xcf098d12
ike 0: comes peerCheckpoint:500->myPeer:500,ifindex=36,vrf=0....
ike 0: IKEv1 exchange=Quick id=50c67fe1e39ec35f/5b8f1f8516d578bc:ed0dd711 len=76 vrf=0
ike 0: in 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD7110000004C035CE893C2CFAA919E997899733C175D34ADFCF23FB149C4618975003F82CF9774365D2CF014164A4A879074BC1892B5
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: retransmission, ignored since still generating response
ike 0:VPN-Checkpoint: HA IPsec send ESP seqno=1829, num=4
ike 0: comes peerCheckpoint:500->myPeer:500,ifindex=36,vrf=0....
ike 0: IKEv1 exchange=Quick id=50c67fe1e39ec35f/5b8f1f8516d578bc:ed0dd711 len=76 vrf=0
ike 0: in 50C67FE1E39EC35F5B8F1F8516D578BC08102001ED0DD7110000004C035CE893C2CFAA919E997899733C175D34ADFCF23FB149C4618975003F82CF9774365D2CF014164A4A879074BC1892B5
ike 0:VPN-Checkpoint:28982:VPN-Checkpoint:1179591: retransmission, ignored since still generating response
ike 0: comes peerCheckpoint:500->myPeer:500,ifindex=36,vrf=0....
ike 0: IKEv1 exchange=Quick id=50c67fe1e39ec35f/5b8f1f8516d578bc:87fcb34d len=188 vrf=0
ike 0: in 50C67FE1E39EC35F5B8F1F8516D578BC0810200187FCB34D000000BC2F546F8F7119FDE160DD95FF7311747825BA971B0357B2AC8653B5AD5D63649C1CAC2AEF7AA25D34F62ED9ADBEC126509AA8B62CAEF8BB2C238433D0B26808103F092351B9D227FD03B194CA8F634F71238FFE04D24BEAC6F49EFA944FDEDE1A0FC2B97ED17F5AD0FE3DAB2B893071A03E8187D93919BC8FC1FAE665560F6AAD1EF799F92AA9D31A72D32D292374F4687D8589120FEA9B50302171C37C393C57
ike 0:VPN-Checkpoint:28982:1179593: responder received first quick-mode message
ike 0:VPN-Checkpoint:28982: dec 50C67FE1E39EC35F5B8F1F8516D578BC0810200187FCB34D000000BC01000024753030F43CC5CC4FE00AC35E5D03404785267F26EF518FB7C4EDA1ECD931451C0A00003800000001000000010000002C0103040191AE67AA00000020010C0000800100010002000400000E10800500058004000180060100050000185B0EF92F4E9AD44E63E1DAA012684A272D80548F0500001004000000AC120000FFFFFF0000000010040000000A010000FFFF000000000000000000000000000B
Labels:
- Labels:
-
FortiGate
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
For more information, about this error message i.e. "Received ESP packet with unknown SPI" you can review the below document on it.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-Unknown-SPI-message-in-Even...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi! I have a similar problem. Some Subnets are fine and once a day, some specific hosts are unreachable for 10 minutes or until you reset the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Cinf
- Try change Phase 1 & Phase 2 proposals
- Add more negotiation possibilities, add multiple authentication and encryption pairs
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how is sending traffic in phase 1 and 2
after then see if packets reach in receiving traffic
Related Posts
- FortiClient/EMS 522 Views
- FortiGate HA Design with Standalone Switches 11134 Views
- ... 1176 Views
- ... 1701 Views
Labels
-
FortiGate
6,440 -
FortiClient
1,283 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
325 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
64 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RMA Information and Announcements
8 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.