Dear Concern,
I had established primary and secondary IPsec tunnels with a cloud server through two different ISPs. Both tunnels had been working properly for the last 2.5 years. However, for the past few days, I have encountered an issue with the primary tunnel: when the primary ISP is up, Phase 1 of the primary IPsec tunnel comes up, but Phase 2 does not. No configuration changes have been made on my side—this issue occurred on its own. For the time being, I have manually forced down the WAN interface of the primary ISP on the FortiGate, so that all traffic, including the IPsec tunnel, is running through the secondary ISP.
Troubleshooting observations:
From the primary ISP, the cloud server’s WAN IP is reachable with stable ping response and latency.
Traceroute results from both primary and secondary ISPs are identical and complete in terms of hop counts.
Using nmap to check port-based traceroute towards the cloud server’s WAN IP confirmed that both standard ports (500 and 4500) are open and the trace completes successfully, indicating no blockage at ISP or upstream level.
Cross-checking the FortiGate configuration shows that the parameters for both phases (Phase 1 & Phase 2) of the secondary tunnel (which is working fine) and the primary tunnel are identical.
Firewall policies are correctly configured, and static routes are properly maintained. Two static routes are configured for failover:
Primary IPsec tunnel via Primary ISP: AD value 10, priority 10
Secondary IPsec tunnel via Secondary ISP: AD value 10, priority 15
Additionally, the secondary tunnel is configured with “set monitor” on the primary tunnel to ensure auto failover. When the primary ISP or its tunnel goes down, the secondary tunnel comes up automatically and communication starts as expected.
Kindly suggest and guide me on further troubleshooting steps. Please share the relevant commands that I can run to confirm that there is no issue from my FortiGate or ISP end.
Waiting for your appreciable support
hi,
when the primary tunnel has phase2 down, i would try and enable debug for it while trying to initiate some traffic from local to remote and see what logs you get when the traffic should use it.
Hi,
I have already tested this, and according to the debug logs, the message ‘processing notify type NO_PROPOSAL_CHOSEN’ appears on Phase 2. As far as I understand, this usually occurs when the Phase 2 parameters on both ends do not match—am I correct?
I have also logged a case with the far end so that the parameters can be cross-checked, although I don’t believe they would change any parameters on their side without informing us. Nevertheless, I wanted to be certain from my side, which is why I performed all of this troubleshooting.
Is it possible that this issue is related to PFS? It is currently enabled in the Phase configuration.
PFS could be one of the factors, https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Understanding-message-no-proposal-ch...
User | Count |
---|---|
2624 | |
1393 | |
804 | |
670 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.