HI,
I have created a SS VPN with Cisco ASA.
Unless the remote site (ASA) initiates the ping, the VPN tunnel remains down. As soon as the ping is initiated from asa, everything works.
Can anyone help me with this?
Hello,
Thank you for your question. So if you manually bring phase2 up or traffic is initiated from client behind the FortiGate, tunnel is down? Can you verify if phase1 is up but phase2 not? Are you using address group in selectors in phase2? Can you share:
diag vpn ike gateway list name <tunnel_name>
diag vpn tunnel list name <tunnel_name>
when the tunnel is down
Thank you.
So phase1 is up, phase2 is down. In that case, I recommend to enable debug as my colleague suggested, manually bring phase2 up from GUI and check what kind of error is happening during negotiation.
Hi,
You can perform a debug to understand where the VPN fails during negotiation.
diag deb reset
diag vpn ike log-filter clear
diag vpn ike log-filter dst-addr4 <peer IP>
diag deb appl ike -1
diag deb en
Regards,
Hi,
from last screenshot, FGT is receiving No proposal chosen message. So you will need to verify Cisco's side to see why it is not matching. Usually it is related to selectors, but you should see it via debug on ASA.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.