Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*SOLVED* Double IPSEC Tunnel settings for one
Hi,
We' re using a Fortigate 200B and created a IPSEC route based tunnel. I have configured everything the way it has to be. The tunnel is working but when I monitor it to bring it up/down I see 2 tunnels for some reason. The second one is creating interference with the first one and I have no idea where it came from. Does anyone know how it is possible?
The only thing that is different between the tunnels is the Proxy ID source. The top one is a range and the bottom one is a single IP address within that range.
In the picture you can see what I can in the IPsec Monitor and the bottom part is the IKE setting, which clearly shows only the settings for one tunnel.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you rebooted since messing with the tunnel definitions? I have seen strange things happen while I was making changes to phase 2 tunnel definitions. Sometimes I would get strange results. A reboot always cleared things up. There may be some value in just resetting the tunnels (renegotiating) instead. Your mileage may vary.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I rebooted the system and the second tunnel disappeared.
Thank you for the reply!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess this could be happening if you have defined a address group in the destination network in the phase2 settings. Is this the case?
Can you post your phase2 configuration?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can' t reboot (in production) is there a particular process that can be restarted instead?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to reboot without any issues with other systems. I' m not sure if you can just restart services like you do on a server.
Rebooting the firewall doesn' t take long at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t reboot the unit, instead:
diag vpn ike restart
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack