- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- P2 goes down when another P2 is brought up
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
P2 goes down when another P2 is brought up
FortiOS 5.0.9 using an interface based L2L tunnel with 3 phase2.
I am only able to bring up 2 phase 2's at a time, when I attempt to bring up the 3rd phase 2 (either in VPN monitor or with interesting traffic) the phase 2 listed below it in the list goes down.
All tunnels pass traffic properly when they are up, I just can't have all 3 up at the same time.
The 3 phase 2 are have the same config except for the source network is a different /24.
There is a route to the destination network pointing out the VPN sub-interface and 1 policy specifying the three source networks and the one destination network. Like I said communication through each P2 works fine when the tunnel is up, I just can't get all 3 P2 to stay up at the same time. Has anyone seen this or have any advise?
Thanks,
Paul
Labels:
- Labels:
-
5.0
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Never heard of this. I have on some FGT, like 8 or more phase2 tunnlels with route based.
Qs?
Can you share the phase2 configs? Is the tunnel termination on another FGT?
Are you sure the remote device does not have any tunnel limitations?
Did yo run any diag debug like ike & diag vpn tunnel list ?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi PaulM1114,
My guess is that you are not establishing a VPN between two FortiGates. If this is the case, what you will need to do is create separate P2s per source going to destination. For example:
Source Networks:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
Destination Network:
172.16.0.0/24
Needed phase twos:
P2-1
192.168.0.0/24 -> 172.16.0.0/24
P2-2
192.168.1.0/24 -> 172.16.0.0/24
P2-3
192.168.2.0/24 -> 172.16.0.0/24
Once you do this, you should not have the problem any further when you try to bring up the phase 2 on the FortiGate. Please note, you will need to make sure the other side of the VPN tunnel is configured exactly the same.
As the previous poster mentioned, please provide us configs if you confirm this is how you have things set up. This is a very common issue due to misconfiguration, so if that is not the case, something else has to be the culprit.
Please let us know if this change works. I hope this helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
So you are having one P1 to the same remote destination with three P2s each with a different source.
I suspect that there is an overlap probably because of subnet mask which might be mistyped. Please verify the config and share with us.
Regards
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW
If this is the case, what you will need to do is create separate P2s per source going to destination.
Actually if it's from FGT-2-FGT & a route-based vpn, he could actually get away with a single proxyid of 0.0.0.0/0:0 & just ensure the corrects routes and policies are in place the for the networks that would carry interesting traffic.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc:
BIG "if"!
He still would need routes and policy objects for each subnet to make it work.
I personally always go the "multiple phase2" road because it's more RFC compliant, and self-documenting.
Could well be overlapping subnets, either given or accidentally by mistyping a subnet mask.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I personally list all unique src/dst subnets, but mainly to get statistics per SAs from the diag vpn tunnel list cmd. if you use the wildcard any, you will not get src-2-dst subnet details by each network.
FWIW;
In fortinet schools 7 teachings, they teach the simplified 0.0.0.0/0:0 method when we are going to FGT-2-FGT. It's one configuration that's mistake-free and like posted b4fore you still need routes and the correct fw-policies.
With a VPN to anything other than a fortigate appliance, your best bet is to use the individual src/dst and try to avoid the 0.0.0.0/0:0 approach. Word of advise from past, if you ever shoud see your self changing the VPN from a FGT-2-<some other vendor> is best to avoid the 0.0.0.0/0:0 approach imho.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is also a new command from FortiOS 5.2.1:
config vpn ipsec phase1-interface
edit <tunnel>
set mesh-selector-type subnet
end
With this is command you can have multiple subnets in source/destination in a single Phase2.
http://docs-legacy.fortinet.com/fos50hlp/52/index.html#page/FortiOS%205.2%20Help/ipsec.009.16.html
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct but you will still need to define the phase2 src/dst subnet in the phase2 configuration & they need to match the vpn remote peer. I wonder if this setting is what's dropped the p2 monitor reporting from the other threads on vpn phase2 details being missing ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you still need to define them, but you can do so with an address object.
One of the biggest pain was the paring of subnets,
If you had 10 subnets on each side you would have to create almost 100 Phase2 if you needed "any-any" traffic.
Now you can group the objects into a Group and the firewall will take care of the pairing of subnets, thank lord...I mean Fortinet ;)
FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C
FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice,
60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail
100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B,
11C
Related Posts
- Trouble Receiving DHCP Packet Over S2S... 314 Views
- VPN Connection dropping randomly 408 Views
- Route redistribution from BGP to OSPF... 1144 Views
- FortiExtender 40D AMEU no LTE connecntion 679 Views
- VOIP help 574 Views
Labels
-
FortiGate
6,606 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.