Hello guys
Currently we have a necessity of deploying a lot of IPSec VPN's in different IP's from my WAN interface
For some reason that I don't know the VPN's only works if i enable "ping" with secondary addresses on Wan interface
Currently I have 30 IP's in secondary ips on my WAN. The FortiOS have a limitation of 32 IP's
If I don't enable ping, IPSec dont works and I receive this output
ike 0:ecea911495885ac4/0000000000000000:3203: responder: main mode get 1st message...
ike 0:ecea911495885ac4/0000000000000000:3203: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ecea911495885ac4/0000000000000000:3203: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:ecea911495885ac4/0000000000000000:3203: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:ecea911495885ac4/0000000000000000:3203: negotiation result
ike 0:ecea911495885ac4/0000000000000000:3203: proposal id = 1:
ike 0:ecea911495885ac4/0000000000000000:3203: protocol id = ISAKMP:
ike 0:ecea911495885ac4/0000000000000000:3203: trans_id = KEY_IKE.
ike 0:ecea911495885ac4/0000000000000000:3203: encapsulation = IKE/none
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:ecea911495885ac4/0000000000000000:3203: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:ecea911495885ac4/0000000000000000:3203: type=OAKLEY_GROUP, val=MODP1536.
ike 0:ecea911495885ac4/0000000000000000:3203: ISAKMP SA lifetime=86400
ike 0:ecea911495885ac4/0000000000000000:3203: SA proposal chosen, matched gateway VPN_WINOV_SP
ike 0: found VPN_WINOV_SP 200.195.149.26 6 -> 170.231.15.66:500
ike 0:VPN_WINOV_SP:3203: peer is FortiGate/FortiOS (v0 b0)
ike 0:VPN_WINOV_SP:3203: cookie ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (ident_r1send): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0: comes 170.231.15.66:500->200.195.149.26:500,ifindex=6,vrf=0....
ike 0: IKEv1 exchange=Identity Protection id=ecea911495885ac4/0000000000000000 len=172 vrf=0
ike 0: in ECEA911495885AC400000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_WINOV_SP:3203: retransmission, re-send last message
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (retransmit): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:3203: out ECEA911495885AC44FEA753EB08576F20110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D3000000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:VPN_WINOV_SP:3203: sent IKE msg (P1_RETRANSMIT): 200.195.149.26:500->170.231.15.66:500, len=172, vrf=0, id=ecea911495885ac4/4fea753eb08576f2
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: IPsec SA connect 6 200.195.149.26->170.231.15.66:0
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: using existing connection
ike 0:VPN_WINOV_SP:VPN_WINOV_SP: config found
ike 0:VPN_WINOV_SP: request is on the queue
ike 0:VPN_WINOV_SP:3201: d3fcd5f5f857c37f/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_WINOV_SP:3201: expiring IKE SA d3fcd5f5f857c37f/0000000000000000
ike 0:VPN_WINOV_SP: deleting
ike 0:VPN_WINOV_SP: deleted
Am I doing something wrong?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Bruno,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello,
Based on the debug peer is also FortiGate. Please run the debug on that FortiGate also so we can compare what other peer's seeing. Next step would be packet capture for IKE packets to see if they received, but maybe dropped. Last thing is config. How is the VPN on this device configured. Ping should not affect ability to accept packets for IKE.
Hello Adrian,
This is the output from the other Fortigate:
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848709: c792a644f887907a/0000000000000000 negotiation of IKE SA failed due to retry timeout
ike 0:VPN_MITRA01:5848709: expiring IKE SA c792a644f887907a/0000000000000000
ike 0:VPN_MITRA01: deleting
ike 0:VPN_MITRA01: deleted
ike 0:VPN_MITRA01: schedule auto-negotiate
ike 0:VPN_MITRA01:5848769: initiator: main mode is sending 1st message...
ike 0:VPN_MITRA01:5848769: cookie b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (ident_i1send): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:500 negotiating
ike 0:VPN_MITRA01:5848769:MITRA_172.16.10.0/24:16275951: ISAKMP SA still negotiating, queuing quick-mode request
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:5848769: out B91263F394F6BA3500000000000000000110020000000000000000AC0D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E00808003000180020002800400050D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN_MITRA01:5848769: sent IKE msg (P1_RETRANSMIT): 170.231.15.66:500->200.195.149.26:500, len=172, vrf=0, id=b91263f394f6ba35/0000000000000000
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: IPsec SA connect 32 170.231.15.66->200.195.149.26:0
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: using existing connection
ike 0:VPN_MITRA01:MITRA_172.16.10.0/24: config found
ike 0:VPN_MITRA01: request is on the queue
ike 0: cache rebuild done
The both configs is identicals:
edit "VPN_MITRA01"
set interface "WAN"
set local-gw 170.231.15.66
set peertype any
set net-device enable
set proposal aes128-sha1
set negotiate-timeout 300
set comments "Mitra Matriz"
set dhgrp 5
set nattraversal disable
set remote-gw 200.195.149.26
set psksecret ENC xxxxxxxxxxx
next
The Fortigates is in 7.2.3 version
Thanks
Hello,
Sorry for late reply. So in debugs, both sides are retransmitting their packets. Means that at some point, packets are either not delivers or dropped.
I would run debug flow on both devices, like this:
diag debug flow filter proto 17
diag debug flow filter port 500
diag debug flow filter addr X.X.X.X - remote IP gateway from local device's perspective
diag debug flow show func en
diag debug flow show iprope en
diag debug console time en
diag debug flow trace start 500
diag debug en
Keep it running for couple of seconds if tunnel is always negotiating. Then disable debug:
diag debug disable
You can attach files and we can if the packets are received or not and what is happening with them.
Created on 01-11-2023 07:32 AM Edited on 01-11-2023 07:32 AM
Hello Adrian,
Thank you for help me
WRSP1-FW-WZ1DC20C21-FG01 # 2023-01-11 13:29:52 id=65308 trace_id=635226 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) tun_id=0.0.0.0 from local. "
2023-01-11 13:29:52 id=65308 trace_id=635226 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, original direction"
2023-01-11 13:29:52 id=65308 trace_id=635226 func=__if_queue_push_xmit line=392 msg="send out via dev-s1, dst-mac-98:5d:82:b6:f8:7f"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:52 id=65308 trace_id=635227 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:52 id=65308 trace_id=635227 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:52 id=65308 trace_id=635228 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:52 id=65308 trace_id=635228 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:29:53 id=65308 trace_id=635229 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:29:53 id=65308 trace_id=635229 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:30:16 id=65308 trace_id=635230 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) tun_id=0.0.0.0 from local. "
2023-01-11 13:30:16 id=65308 trace_id=635230 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, original direction"
2023-01-11 13:30:16 id=65308 trace_id=635230 func=__if_queue_push_xmit line=392 msg="send out via dev-s1, dst-mac-98:5d:82:b6:f8:7f"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:30:16 id=65308 trace_id=635231 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:30:16 id=65308 trace_id=635231 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) tun_id=0.0.0.0 from WAN. "
2023-01-11 13:30:16 id=65308 trace_id=635232 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-9ff0ed6d, reply direction"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=npu_handle_session44 line=1194 msg="Trying to offloading session from WAN to WAN, skb.npu_flag=00000000 ses.state=00004104 ses.npu_state=0x00000100"
2023-01-11 13:30:16 id=65308 trace_id=635232 func=fw_forward_dirty_handler line=414 msg="state=00004104, state2=00000300, npu_state=00000100"
Other side
MITRA_MATRIZ # 2023-01-11 12:29:39 id=20085 trace_id=218 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:39 id=20085 trace_id=218 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:39 id=20085 trace_id=219 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:29:39 id=20085 trace_id=219 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:29:39 id=20085 trace_id=220 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:39 id=20085 trace_id=220 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:51 id=20085 trace_id=221 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:29:51 id=20085 trace_id=221 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:29:51 id=20085 trace_id=222 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:51 id=20085 trace_id=222 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:51 id=20085 trace_id=223 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:51 id=20085 trace_id=223 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:29:52 id=20085 trace_id=224 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:29:52 id=20085 trace_id=224 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:30:15 id=20085 trace_id=225 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 170.231.15.66:500->200.195.149.26:500) from wan2. "
2023-01-11 12:30:15 id=20085 trace_id=225 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, original direction"
2023-01-11 12:30:15 id=20085 trace_id=226 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:30:15 id=20085 trace_id=226 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
2023-01-11 12:30:15 id=20085 trace_id=227 func=print_pkt_detail line=5746 msg="vd-root:0 received a packet(proto=17, 200.195.149.26:500->170.231.15.66:500) from local. "
2023-01-11 12:30:15 id=20085 trace_id=227 func=resolve_ip_tuple_fast line=5827 msg="Find an existing session, id-055efbc8, reply direction"
Hello Bruno,
Hmm. Debug flow shows no problem. No packets are dropped. So this must be something else. The problem is on direction from VPN_WINOV_SP to MITRA. WINOW match correct gateway, reply is sent but no reply is received, even though that on debug flow, everything looks good. You can try disable npu-offload, but it shouldn't have any impact on p1 negotiation:
config vpn ipsec phase1-interface
edit <tunnel>
set npu-offload disable
end
I recommend to open support ticket, this needs more in-depth tshoot, probably some reproduction in lab.
Hello
I got some others informations I have other fortigate in 6.2.9 version, in this appliance, the ipsec works so good without "secondary addresses".
When ipsec try establish communication, and the ip that I inform with "specify" and not "secondary ip" the fortigate send "ping" with default IP from WAN interface.
When I insert this ip in secondary addresses and inform in "secondary ip" on ipsec configuration, Fortigate don't send this ping
But the strange thing is that I send ping from my wan, ping works
I opened the case in support too
Thanks,
I saw a trace very similar to this a few days ago when I was setting up IPsec between two FGT units where one of the ISPs didn't support native ESP over IP.
Try setting "set nattraversal forced" in the phase1-interface on both sides.
Hi Team
We are also facing the same issue any solution for this
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.