- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Phase 2 VPN showing a green and a red arrow
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Phase 2 VPN showing a green and a red arrow
Hi all, why is the phase 2 showing a green and a red arrow? This is a Teltonika RUT901 connecting to a Fortigate 100F. Any advice would be appreciated.
Labels:
- Labels:
-
FortiGate
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @BFieldy ,
According to this error, a new phase 2 addition has been made on the FortiGate side, but this addition has not been made on the other side or the settings seem to be incompatible.
Did you configure 2nd phase 2 selector on teltonica side?
Also, can you run these commands on Fortigate after that can you share the output with us?
diag debug disable
diag debug reset
diag vpn ike log-filter clear
diag vpn ike log-filter name RWAS_TEST_VPN
diag debug application ike -1
diag debug enable
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @ozkanaltas,
Before I run these commands will this cause any service issues with current VPNs running?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @BFieldy ,
These commands does not affect your vpn traffic.Just shows debug logs which is not showing on gui.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BFieldy ,
Can you paste the output of commands below:
get vpn ipsec tunnel summary
diag vpn tunnel list name RWAS_TEST_VPN
diag vpn ike gateway list name RWAS_TEST_VPN
The below might also help:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Created on 05-24-2024 08:25 AM Edited on 05-24-2024 08:26 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @fricci_FTNT,
'RWAS_TEST_VPN' 109.109.153.210:4500 selectors(total,up): 2/1 rx(pkt,err): 20424/0 tx(pkt,err): 0/0
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=RWAS_TEST_VPN ver=2 serial=5 10.255.255.253:4500->109.109.153.210:4500 tun_id=109.109.153.210 tun_id6=::109.109.153.210 dst_mtu=1500 dpd-link=on weight=1
bound_if=7 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=7 ilast=5016 olast=51695743 ad=/0
stat: rxp=20424 txp=0 rxb=3184038 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=4500
proxyid=RWAS_TEST_VPN proto=0 sa=1 ref=2 serial=5 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:109.109.153.210-109.109.153.210:0
SA: ref=4 options=18627 type=00 soft=0 mtu=1422 expire=28791/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00004fc4 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=7439c315 esp=aes key=16 96a78e61fa2441571754539b8e21f044
ah=sha1 key=20 f254eba969e7e720e1bf0d18bb12e8777a18b4a0
enc: spi=cc9ac9ac esp=aes key=16 0b1acd12c9d49516b53cdda94769cc07
ah=sha1 key=20 59c5b0d4b5dbedf9892897b1dbcc72d30a36ed1a
dec:pkts/bytes=20428/3188808, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=109.109.153.210 npu_lgwy=10.255.255.253 npu_selid=3e dec_npuid=1 enc_npuid=0
proxyid=RWAS_TEST_VPN proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
run_tally=0
vd: root/0
name: RWAS_TEST_VPN
version: 2
interface: wan1 7
addr: 10.255.255.253:4500 -> 109.109.153.210:4500
tun_id: 109.109.153.210/::109.109.153.210
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 169.254.35.165 -> 0.0.0.0
created: 14202s ago
peer-id: teltonika
peer-id-auth: no
nat: me peer
PPK: no
IKE SA: created 1/1 established 1/1 time 4870/4870/4870 ms
IPsec SA: created 1/1 established 1/1 time 4870/4870/4870 ms
id/spi: 134539 42bea39f6145a995/2f00641e7c3e4264
direction: initiator
status: established 14202-14197s ago = 4870ms
proposal: aes128-sha256
child: no
SK_ei: b59f59a62a65ad94-38e48d89968a348e
SK_er: 9c0ab4b8bbf9f0c5-66a48e40885dff19
SK_ai: a0eed65b4baa30e2-3de058b0c85298a0-eb91385f69427d59-c80a8b914d93f844
SK_ar: 30b14a40546eea0b-396dbc7946e59036-7f1cd6d506d4758e-f76918c054529ead
PPK: no
message-id sent/recv: 2/0
lifetime/rekey: 43200/28702
DPD sent/recv: 00000000/00000000
peer-id: teltonika
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your phase2 config snippet + the "diag vpn tunnel list" give us the answer.
Your phase2 is configured with wildcard selectors, any IP allowed: 0.0.0.0/0->0.0.0.0/0.
However the other side negotiated a more specific selectors: 0.0.0.0/0 -> 109.109.153.210/32 (your side -> remote side)
Thus the outputs and the GUI status are showing two phase2 SAs:
1. The one that was negotiated:
proxyid=RWAS_TEST_VPN proto=0 sa=1 ref=2 serial=5 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:109.109.153.210-109.109.153.210:0
SA: ref=4 options=18627 type=00 soft=0 mtu=1422 expire=28791/0B replaywin=2048
[...]
2. The one that exists in the config but ended up not being agreed on (the SA is marked as red in the GUI):
proxyid=RWAS_TEST_VPN proto=0 sa=0 ref=2 serial=1 auto-negotiate
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:0.0.0.0-255.255.255.255:0
run_tally=0
This is normal with IKEv2, which supports selector narrowing, where both sides only need to find an overlap in their proposals to reach agreement.
In your case, this can be considered a problem if you are expecting both sides to agree on a wide-open SA (0/0->0/0), in which case you should reconfigure the remote peer to offer a wilde-open selector as well. Otherwise, this is normal and can be ignored.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It looks like there are 2 IPsec phase2 configured. You may consider to verify by running the command below in CLI:
sh | grep -f RWAS_TEST_VPN (and check "config vpn ipsec phase2-interface" configuration section)
FortiGate
Created on 05-24-2024 08:20 AM Edited on 05-24-2024 09:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, the command returns:
PRDICTFWD003 # sh | grep -f RWAS_TEST_VPN
config system interface
edit "RWAS_TEST_VPN" <---
set vdom "root"
set ip 169.254.35.165 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 169.254.35.166 255.255.255.252
set snmp-index 38
set interface "wan1"
next
end
config vpn ipsec phase1-interface
edit "RWAS_TEST_VPN" <---
set interface "wan1"
set ike-version 2
set local-gw 10.255.255.253
set keylife 43200
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes128-sha256
set localid "fortigate"
set nattraversal forced
set remote-gw 109.109.153.210
set psksecret ENC
next
end
config vpn ipsec phase2-interface
edit "RWAS_TEST_VPN" <---
set phase1name "RWAS_TEST_VPN" <---
set proposal aes128-sha1
set auto-negotiate enable
next
end
(didnt include the temporary allow all firewall rules)
config router static
edit 18
set dst 10.220.0.0 255.255.255.240
set device "RWAS_TEST_VPN" <---
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
There is only one phase2 selector configured. It is not clear why there are 2 arrows for phase 2 in GUI though.
Both phase 1 and phase 2 are up:
IKE SA: created 1/1 established 1/1 time 4870/4870/4870 ms
IPsec SA: created 1/1 established 1/1 time 4870/4870/4870 ms
FortiGate output looks good. In case there is still connectivity issue, I would recommend to sniff the traffic "diagnose sniffer packet any 'host <destination IP address>' 4 0 a" while pinging host on the other site. In case connectivity looks good, you may consider rebooting FortiGate and check GUI output.
Moreover, you may consider to add widget GUI: Dashboard -> IPsec and check how many phase2 will be visible.
FortiGate
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiLink won't come up/stay up! 636 Views
- Option to encrypt logs to Fortianalyzer... 783 Views
- FortiAP U231F Problems 1317 Views
- FortiGate 601F in HA Secondary all... 3482 Views
Labels
-
FortiGate
7,038 -
FortiClient
1,388 -
5.2
801 -
5.4
639 -
FortiManager
610 -
FortiAnalyzer
446 -
6.0
416 -
FortiAP
369 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
286 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
172 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
104 -
FortiGateCloud
94 -
SSL-VPN
94 -
FortiSIEM
91 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
48 -
FortiADC
45 -
Fortivoice
44 -
SD-WAN
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiAuthenticator
32 -
FortiSwitch v6.4
32 -
Firewall policy
32 -
VLAN
28 -
High Availability
28 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
Certificate
19 -
SAML
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Interface
14 -
Logging
14 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
Web profile
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Proxy policy
6 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
FortiAI
2 -
Application signature
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1041 | |
| 862 | |
| 512 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.