Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Brustolin
New Contributor II

Multiple VPN IPSec using different IP's

Hello guys

 

Currently we have a necessity of deploying a lot of IPSec VPN's in different IP's from my WAN interface

For some reason that I don't know the VPN's only works if i enable "ping" with secondary addresses on Wan interface

 

Currently I have 30 IP's in secondary ips on my WAN. The FortiOS have a limitation of 32 IP's

If I don't enable ping, IPSec dont works and I receive this output

 

ike 0:ecea911495885ac4/0000000000000000:3203: responder: main mode get 1st message...
ike 0:ecea911495885ac4/0000000000000000:3203: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ecea911495885ac4/0000000000000000:3203: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:ecea911495885ac4/0000000000000000:3203: negotiation result
ike 0:ecea911495885ac4/0000000000000000:3203: proposal id = 1:
ike 0:ecea911495885ac4/0000000000000000:3203: protocol id = ISAKMP:
ike 0:ecea911495885ac4/0000000000000000:3203: trans_id = KEY_IKE.
ike 0:ecea911495885ac4/0000000000000000:3203: encapsulation = IKE/none
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ecea911495885ac4/0000000000000000:3203: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_GROUP, val=MODP1536.
ike 0:ecea911495885ac4/0000000000000000:3203: ISAKMP SA lifetime=86400
ike 0:ecea911495885ac4/0000000000000000:3203: SA proposal chosen, matched gateway VPN_WINOV_SP
ike 0: found VPN_WINOV_SP 200.195.149.26 6 -> 170.231.15.66:500
ike 0:VPN_WINOV_SP:3203: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN_WINOV_SP:3203: cookie ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (ident_r1send): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:3201: d3fcd5f5f857c37f/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_WINOV_SP:3201: expiring IKE SA d3fcd5f5f857c37f/0000000000000000
ike 0:VPN_WINOV_SP: deleting
ike 0:VPN_WINOV_SP: deleted

 

Am I doing something wrong?

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
10 REPLIES 10
Anthony_E
Community Manager
Community Manager

Hello Bruno,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
akristof
Staff
Staff

Hello,

Based on the debug peer is also FortiGate. Please run the debug on that FortiGate also so we can compare what other peer's seeing. Next step would be packet capture for IKE packets to see if they received, but maybe dropped. Last thing is config. How is the VPN on this device configured. Ping should not affect ability to accept packets for IKE.

Adrian
Brustolin
New Contributor II

Hello Adrian,

 

This is the output from the other Fortigate:

 

ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848709: c792a644f887907a/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_MITRA01:5848709: expiring IKE SA c792a644f887907a/0000000000000000
ike 0:VPN_MITRA01: deleting
ike 0:VPN_MITRA01: deleted
ike 0:VPN_MITRA01: schedule auto-negotiate
ike 0:VPN_MITRA01:5848769: initiator: main mode is sending 1st message...
ike 0:VPN_MITRA01:5848769: cookie b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (ident_i1send): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:500 negotiating
ike 0:VPN_MITRA01:5848769:MITRA_172.16.10.0/24:16275951: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done

 

The both configs is identicals:

 

edit "VPN_MITRA01"
set interface "WAN"
set local-gw 170.231.15.66
set peertype any
set net-device enable
set proposal aes128-sha1
set negotiate-timeout 300
set comments "Mitra Matriz"
set dhgrp 5
set nattraversal disable
set remote-gw 200.195.149.26
set psksecret ENC xxxxxxxxxxx
next

 

The Fortigates is in 7.2.3 version

 

Thanks

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
akristof

Hello,

Sorry for late reply. So in debugs, both sides are retransmitting their packets. Means that at some point, packets are either not delivers or dropped.

I would run debug flow on both devices, like this:

 

diag debug flow filter proto 17

diag debug flow filter port 500

diag debug flow filter addr X.X.X.X - remote IP gateway from local device's perspective

diag debug flow show func en

diag debug flow show iprope en

diag debug console time en

diag debug flow trace start 500

diag debug en

 

Keep it running for couple of seconds if tunnel is always negotiating. Then disable debug:

diag debug disable

 

You can attach files and we can if the packets are received or not and what is happening with them.

Adrian
Brustolin
New Contributor II

 

Hello Adrian,

 

Thank you for help me

 

WRSP1-FW-WZ1DC20C21-FG01 # 2023-01-11 13:29:52 id=65308 trace_id=635226 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) tun_id=0.0.0.0 from local. "
2023-01-11 13:29:52 id=65308 trace_id=635226 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, original direction"
2023-01-11 13:29:52 id=65308 trace_id=635226 func=__if_queue_push_xmit line=392 msg="send out via dev-s1, dst-mac-98:5d:82:b6:f8:7f"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:52 id=65308 trace_id=635227 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:52 id=65308 trace_id=635228 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:53 id=65308 trace_id=635229 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:30:16 id=65308 trace_id=635230 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) tun_id=0.0.0.0 from local. "
2023-01-11 13:30:16 id=65308 trace_id=635230 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, original direction"
2023-01-11 13:30:16 id=65308 trace_id=635230 func=__if_queue_push_xmit line=392 msg="send out via dev-s1, dst-mac-98:5d:82:b6:f8:7f"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:30:16 id=65308 trace_id=635231 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:30:16 id=65308 trace_id=635232 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"

 

Other side

 

MITRA_MATRIZ # 2023-01-11 12:29:39 id=20085 trace_id=218 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:39 id=20085 trace_id=218 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:39 id=20085 trace_id=219 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:29:39 id=20085 trace_id=219 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:29:39 id=20085 trace_id=220 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:39 id=20085 trace_id=220 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:51 id=20085 trace_id=221 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:29:51 id=20085 trace_id=221 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:29:51 id=20085 trace_id=222 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:51 id=20085 trace_id=222 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:51 id=20085 trace_id=223 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:51 id=20085 trace_id=223 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:52 id=20085 trace_id=224 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:52 id=20085 trace_id=224 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:30:15 id=20085 trace_id=225 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:30:15 id=20085 trace_id=225 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:30:15 id=20085 trace_id=226 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:30:15 id=20085 trace_id=226 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:30:15 id=20085 trace_id=227 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:30:15 id=20085 trace_id=227 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
akristof

Hello Bruno,

 

Hmm. Debug flow shows no problem. No packets are dropped. So this must be something else. The problem is on direction from VPN_WINOV_SP to MITRA. WINOW match correct gateway, reply is sent but no reply is received, even though that on debug flow, everything looks good. You can try disable npu-offload, but it shouldn't have any impact on p1 negotiation:

config vpn ipsec phase1-interface

edit <tunnel>

set npu-offload disable

end

 

I recommend to open support ticket, this needs more in-depth tshoot, probably some reproduction in lab. 

 

Adrian
Brustolin
New Contributor II

Hello

 

I got some others informations I have other fortigate in 6.2.9 version, in this appliance, the ipsec works so good without "secondary addresses".

When ipsec try establish communication, and the ip that I inform with "specify" and not "secondary ip" the fortigate send "ping" with default IP from WAN interface.

 

Brustolin_0-1673613115316.png

 

When I insert this ip in secondary addresses and inform in "secondary ip" on ipsec configuration, Fortigate don't send this ping

 

Brustolin_2-1673613298657.png

 

But the strange thing is that I send ping from my wan, ping works

 

I opened the case in support too

 

Thanks,

 

Bruno Brustolin
Cloud Engineer
Bruno BrustolinCloud Engineer
Peter-Wainwright
New Contributor II

I saw a trace very similar to this a few days ago when I was setting up IPsec between two FGT units where one of the ISPs didn't support native ESP over IP. 

Try setting "set nattraversal forced" in the phase1-interface on both sides.

NSE 7
NSE 7
Mahindraholidays
New Contributor

Hi Team 

We are also facing the same issue any solution for this 

Labels
Top Kudoed Authors