Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Site To Site Vpn (Fortigate to Cisco) Issue

Hi All, I am facing a problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep  alive options are enabled already. Can anyone give me a solution to resolve it. Thank You

Esteemed Contributor III

If "set auto-negotiate enable" is configured than did you run sniffer if the FGT or ASA is attempting   auto-neg?


Try running  the following when the tunnel is down & b4 you restart anything.


diag sniffer packet <insert interface> "host x.x.x.x" where x.x.x.x = the cisco ASA vpn ip_address


if you see IKE apckets between FGT<>ASA than look at the diag debug flow for traffic interesting and to be encrypted. If you see IKE but only one-ay work from that point forward and from the direction not responding.


If the ipsec-tunnel is  rfc1918  ( aka.....IKE 4500/udp ) than ensure NAT-T is enabled and maybe adjust the times.


If you have DPD enable try disabling cisco and ASA don't really do DPD


Also it would not hurt to share both  ASA and FGT configs.





    show run tunnel-group

    show run crypto

    show run crypto isakmp




    show vpn ipsec phase1-interface

    show vpn ipsec phase2-interface






PCNSE NSE StrongSwan
Top Kudoed Authors