Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sivakumar28200
New Contributor

Site to Site VPN

Hi Guys,

 

Kindly help me on this. I have fortinet firewall and i have form site to site VPN but i unable to reach/ping 172.17.10.137:514. 

Here is the debug log.

-- 172.17.10.137 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss FGT90D3Z13005673 # exe no object in the end Command fail. Return code -160 FGT90D3Z13005673 # diag debug enableid=20085 trace_id=33 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=33 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=33 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=33 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=33 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=34 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=34 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=34 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=34 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=34 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=34 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=35 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=35 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=35 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=35 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=35 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=35 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=36 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=36 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=36 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=36 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=36 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=36 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=37 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=37 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=37 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=37 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=37 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=37 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=38 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=38 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=38 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=38 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=38 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=39 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=39 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=39 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=39 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=39 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=39 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=40 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=40 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=40 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=40 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=40 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=40 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=41 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=41 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=41 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=41 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=41 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=41 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=42 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=42 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=42 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=42 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=42 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=42 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=43 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=43 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=43 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=43 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=43 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=43 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=44 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=44 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=44 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=44 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=44 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=45 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=45 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=45 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=45 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=45 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=45 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=46 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=46 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=46 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=46 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=46 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=47 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=47 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=47 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=47 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=47 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1"

17 REPLIES 17
Toshi_Esumi
SuperUser
SuperUser

I would recommend removing NAT on the incoming policy for VPN traffic unless you have a reason to hide the subnet on the other end. Instead you should have proper routes on both ends to route each other.

Then when you started this flow debugging a session has already been established so it doesn't show the beginning. Once you dropped the NAT, start the debugging first then quickly access the destination from the other end so that you can capture the begging of the session.

sivakumar28200
New Contributor

There is no NAT.

 

Iescudero

Hi there!

It seems that the other peer is dropping the packets.

Can you check the other side of the vpn?

 

sivakumar28200

Hi there,

 

The other site is connected to Sophos firewall. How do I check that. Kindly advise. Thanks.

 

Regards,

 

Siva Kumar

Iescudero

According Sophos's Documentation:

"...Log in to the SF CLI Console on SSH.

Choose option 4. SF Console and execute the following commands at the console prompt:

For IPsec:

Command: show vpn IPSec-logs

 show vpn IPSec-logs

..."

 

 

sivakumar28200

Do I need to perform ping test and trace route during capturing IPSEC logs.

 

Iescudero

Yes!

sivakumar28200

Here is ipsecdebug logs

  Connected   FGT90D3Z13005673 # diagnose debug disable   FGT90D3Z13005673 # diagnose debug reset   FGT90D3Z13005673 # diagnose vpn ike gateway flush name KN2AIMS   FGT90D3Z13005673 # diagnose vpn ike log filter name  KN2AIMS   FGT90D3Z13005673 # diagnose debug application ike -1 Debug messages will be on for 30 minutes.   FGT90D3Z13005673 # diagnose debug enable   FGT90D3Z13005673 # ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:8eb29331 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005018EB2933100000054855BAD485FCE9A23AC71CFAD7AD3CDB5B63CEC1B0DD6A63D00021DFAC53E345AA3B864DC3F79E7FF268E48EB4D405BF7B6172D3D78604545 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005018EB29331000000540B00001454CD6B102513EC6202E653DC49A814F0000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CAE00000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:ac2574f3 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE272508100501AC2574F3000000542191E921AA1F9CF3A0D8FA9D78B26A209B33AD81D06E81DABE8E0F598E36819C085A2F0B157F959818A1185F55D87434841518784102C39C ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE272508100501AC2574F3000000540B00001432FA9D7118830F463F00C72A92532AD5000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CAF00000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb0 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97456 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE2725081005015FD19BA6000000500B00001464F8EDAAE696E0BBEF526A55E5B877CB000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB0 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE2725081005015FD19BA6000000543D11E001B60FE7F3D6B3E6B93E2D521FE5CD1582E6E6A9E90AD0CC00A701A81D854E1595F364E99AF7E010A66EBA5AED7CC725FBDB14B053 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:5fd19ba6 ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:36f25be2 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE27250810050136F25BE20000005401A7836C82BAAD204AABD1F060B7FC078C6C697BBC43E42D075F2FDFAC837F19AB36B1FF86029683D342321489E93F63A70182A7616B38F0 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE27250810050136F25BE2000000540B000014899ACD41FF9F0E70446BAA5FFCAE63DB000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB000000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:89168556 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005018916855600000054DC570C26589511739C26F86BB73FCB8CF3DE27B300611E60E1246FEED7B0B54B1F47B84D5CDADF94B77A1EC8AFD9D5549D7CA6FB98179437 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE27250810050189168556000000540B000014EF9E628D09B9E4798AD59E2915A855B6000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB100000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb2 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97458 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE27250810050105A398E4000000500B00001490AEBF66A15EDD400D4898F8677B8CC7000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB2 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE27250810050105A398E400000054C61AE87107136904F7B252BB380F976197E00F2B0BCAA278ED64E6133C2C9AFB8D8E5A1A8103305CD4F422A6758D6CD79540B10E0B4C6B84 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:05a398e4 ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:9e92e7a5 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005019E92E7A5000000547B47CF59B81386A458D01DFFB5ABDD05D64F8EAFF6BCD1CB93FE415F834EECEB7DFA49B3232FA17E0ABD2EB83C617E330351ACD0EB82DDF8 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005019E92E7A5000000540B00001474386B748C65FFB721022371B834BFF7000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB200000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:3f820fda len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005013F820FDA00000054A5639472B13C51D4CD05FE7AD0D879149E13EFE2EB3B90A34762A21B8BC12495BF1B3ECE214D1FCB28E36AFA735695E00B818F7BBFBE0451 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005013F820FDA000000540B0000145D9CA14A711E7298748942EE84523322000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB300000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb4 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97460 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE272508100501A3FCB0D4000000500B0000144C247842F84798EFDF4CBFA40DECEE2E000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB4 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE272508100501A3FCB0D400000054507F05F4456246DCAFB9A5E11712A66F103646D32E4C36B74C9762E3C1BF70D2C30D40EAFE07A1BCB38DD788E1358422803263B8CC9B1E9A ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:a3fcb0d4 ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:fd6e1fb4 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE272508100501FD6E1FB400000054F947F1D2EA8812D344B06ECBC421B50D686233F5AA150D0F3D598B1F6364E7AF78513A986929FAB829F55BFD24735BD1221D7BACDF82AF32 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE272508100501FD6E1FB4000000540B000014BD57CC1A781E5EB99CD0242AD47294B1000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB400000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb5 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97461 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE2725081005018C50120F000000500B0000148E5AF58920ACADDE5FC9E7D9F4F1E166000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB5 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE2725081005018C50120F00000054F24F281BD9E08170ED1CBA997B089A4617C5B015474D69313C58616E328B0A6FB28BAB6A163469E856510F9FAF5237AABFD03C5703A73756 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:8c50120f ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:d92919db len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE272508100501D92919DB0000005436AE7FF14C5687BD5743FE7851C8C6F6654D1D09FC1504550D1239774EE596969AA33808CE54E766CD245C1597F37ECE1CDAB0058F31A78C ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE272508100501D92919DB000000540B0000148B3E00D339948E5FFC7F224C60E327C6000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB500000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb6 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97462 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE27250810050117F30975000000500B000014263AC2613D79DBBC02CBDA032347977C000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB6 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE27250810050117F30975000000548ABAF97F7D7EC39A4870A9C0FB0FAFCA39563AF921E332A8C8DC8F25D02E9B066CEBD20D8D15B565B463B03F5E22BF2186EC1F250BB0A779 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:17f30975 ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:4852f685 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005014852F685000000545D8002CF941802F6640A5C316E64536E4105445342853BF8A0BFED6E4309ECACDCADB01BE8E269D9E541A9A1B3C951A74DA6FF7AE3EF6ECD ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005014852F685000000540B0000143FB3374D060459EF3884222CCCE3C163000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB600000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:8532e9df len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005018532E9DF0000005470A2CB1DF60A3DC93A2E129E348BE1283A4C5A672CF473BF7438E5B6CBC7284BA40440A69D887BF9FDE4E322ABFCF3C1D1872549D6895CB0 ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005018532E9DF000000540B000014E635288F76E679FA438390A311B50F29000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB700000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb8 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97464 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE272508100501F35B94F8000000500B0000148EE2F376AF10327FAA1D1EAFFEE32433000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB8 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE272508100501F35B94F800000054FD97F5987C287F4D860D4DDC589F0B979659491B74F15671E7F01ADFDB01694E2C1491AE67D5E0D85CDF1C89ED23595974C334D1D4078D6C ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:f35b94f8 ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:6e01e3a2 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005016E01E3A200000054242BFDCC2993C2D0F3EA28FC4A34D7B36B559638CFEC24C1C8DA8BE7EAD2AC4974B0255E5A7EBCCC8788C99DD62B1A2EC0404A6E3F6DFECF ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005016E01E3A2000000540B000014526BF56B242D45DFB7FC93E0992C355B000000200000000101108D287F77E0B85E059F754EDB8B5C03CE2725325493EE00000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE272508100501B5CEA4BB000000500B0000144A38BBDBBF688447675FFE5CC63DC33B000000200000000101108D297F77E0B85E059F754EDB8B5C03CE2725325493EE ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE272508100501B5CEA4BB00000054032310EE146E1117741FB62B87A1BFDC224CFC626434EFA81A15518F472193DF983754A8C76D3FD790F27039C469EB90CC3E621D477D6E43 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE-ACK): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:b5cea4bb ike 0:KN2AIMS: link is idle 5 210.186.145.206->203.223.137.87:0 dpd=1 seqno=17cb9 ike 0:KN2AIMS:4767: send IKEv1 DPD probe, seqno 97465 ike 0:KN2AIMS:4767: enc 7F77E0B85E059F754EDB8B5C03CE272508100501AD1A09CE000000500B000014A81A77E775629A6AE90B33B09AF92685000000200000000101108D287F77E0B85E059F754EDB8B5C03CE272500017CB9 ike 0:KN2AIMS:4767: out 7F77E0B85E059F754EDB8B5C03CE272508100501AD1A09CE00000054015137E228994484A218AD07AD7A95E20A6EF4736382C43D2B6291A4C9F4882EAF7D8B59A0BE60151FA987FA0C9DD6EA5C70CA4812A74AF1 ike 0:KN2AIMS:4767: sent IKE msg (R-U-THERE): 210.186.145.206:500->203.223.137.87:500, len=84, id=7f77e0b85e059f75/4edb8b5c03ce2725:ad1a09ce ike 0: comes 203.223.137.87:500->210.186.145.206:500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=7f77e0b85e059f75/4edb8b5c03ce2725:5274ea90 len=84 ike 0: in 7F77E0B85E059F754EDB8B5C03CE2725081005015274EA9000000054535A6C1EDC3D76BDE72EEAFBFE3D07F20585D22436F1E39B91109CBDEF3ED0704ABC70F744925CBE721EF63F506915773373F4AEE1B640BE ike 0:KN2AIMS:4767: dec 7F77E0B85E059F754EDB8B5C03CE2725081005015274EA90000000540B0000149B2BD32FC7C89B4D7E94B25BBA981F42000000200000000101108D297F77E0B85E059F754EDB8B5C03CE272500017CB900000000 ike 0:KN2AIMS:4767: notify msg received: R-U-THERE-ACK

Toshi_Esumi

As you can see it's been already established and exchanging R-U-THERE and R-U-THERE-ACK. You need to capture the debug output when you hit "Connect" on the FortiClient side.

By the way, does the client device has a public IP:203.223.137.87 on itself? Not behind a NAT device? They're using UDP port 500, which means no NAT-traversal.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors