Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sijo_km
New Contributor

Site To Site Vpn (Fortigate to Cisco) Issue

Hi All, I am facing a problem with the site to site vpn (fortinet to Cisco ASA). Frequently tunnel is getting down and it is not come up automatically. Manual restart is required to come up the tunnel. Auto Negotiate and keep  alive options are enabled already. Can anyone give me a solution to resolve it. Thank You

1 REPLY 1
emnoc
Esteemed Contributor III

If "set auto-negotiate enable" is configured than did you run sniffer if the FGT or ASA is attempting   auto-neg?

 

Try running  the following when the tunnel is down & b4 you restart anything.

 

diag sniffer packet <insert interface> "host x.x.x.x" where x.x.x.x = the cisco ASA vpn ip_address

 

if you see IKE apckets between FGT<>ASA than look at the diag debug flow for traffic interesting and to be encrypted. If you see IKE but only one-ay work from that point forward and from the direction not responding.

 

If the ipsec-tunnel is  rfc1918  ( aka.....IKE 4500/udp ) than ensure NAT-T is enabled and maybe adjust the times.

 

If you have DPD enable try disabling cisco and ASA don't really do DPD

 

Also it would not hurt to share both  ASA and FGT configs.

 

 

ASA

 

    show run tunnel-group

    show run crypto

    show run crypto isakmp

 

FGT

 

    show vpn ipsec phase1-interface

    show vpn ipsec phase2-interface

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors