Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sijo_km
New Contributor

Site To Site Vpn (Fortigate to Cisco) Issue

Hi All, I am facing a problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep  alive options are enabled already. Can anyone give me a solution to resolve it. Thank You

4 REPLIES 4
emnoc
Esteemed Contributor III

If "set auto-negotiate enable" is configured than did you run sniffer if the FGT or ASA is attempting   auto-neg?

 

Try running  the following when the tunnel is down & b4 you restart anything.

 

diag sniffer packet <insert interface> "host x.x.x.x" where x.x.x.x = the cisco ASA vpn ip_address

 

if you see IKE apckets between FGT<>ASA than look at the diag debug flow for traffic interesting and to be encrypted. If you see IKE but only one-ay work from that point forward and from the direction not responding.

 

If the ipsec-tunnel is  rfc1918  ( aka.....IKE 4500/udp ) than ensure NAT-T is enabled and maybe adjust the times.

 

If you have DPD enable try disabling cisco and ASA don't really do DPD

 

Also it would not hurt to share both  ASA and FGT configs.

 

 

ASA

 

    show run tunnel-group

    show run crypto

    show run crypto isakmp

 

FGT

 

    show vpn ipsec phase1-interface

    show vpn ipsec phase2-interface

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pmeet
Staff
Staff

can you try disabling np offloading on the FortiGate and monitor it.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Disable-Hardware-Acceleration/ta...

PATELMM
Umer221
Staff
Staff

In addition to the above suggestions, you might want to verify if FortiGate is acting as an initiator or a responder using the article:
https://community.fortinet.com/t5/Customer-Service/Technical-Tip-How-to-make-sure-the-FortiGate-will...

kkhushdeep
Staff
Staff

Please check if you are using named address objects in the phase2 selectors and try to use direct subnet and separate phase2 selectors instead of named objects.
It is possible to configure mesh-selector-type.
mesh-selector-type {disable | subnet | host}
But this option is not available in all versions.
Helpful link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPsec-VPN-between-FortiGate-and-other-Vend...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors