Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Tunnel is up but no data flow / Cisco ASA-FG60B
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tunnel is up but no data flow / Cisco ASA-FG60B
Hello togehter. Cause I could not fine any solution within older posts, I will write here some lines and hope somebody can help me.
At first - I already have configured FG systems with Site2Site VPNs when on the other end is a different vendor like Juniper or Check Point but this Cisco ASA (lates OS) is frustrating me.
I can see on both sites that the tunnel is up but I get 0 data on RX or TX. Also in the FG IPSec montitor I can see a green tunnel but no data flow.
On FG I get this message... and that repeats all the time.
2011-01-02 19:10:27 ike 2: comes 188.195.188.215:500->80.19.191.189:500,ifindex=14....
2011-01-02 19:10:27 ike 2: IKEv1 exchange=Informational id=78bd6d0b4f34568b/79226ef04d7f1790:bf26a430 len=92
2011-01-02 19:10:27 ike 2: found 188.195.188.215 80.19.191.189 14 -> 188.195.188.215:500
2011-01-02 19:10:27 ike 2:188.195.188.215:592: notify msg received: R-U-THERE-ACK
2011-01-02 19:10:32 ike 2:188.195.188.215:592: send IKEv1 DPD probe, seqno 536
2011-01-02 19:10:32 ike 2:188.195.188.215:592: sent IKE msg (R-U-THERE): 80.19.191.189:500->188.195.188.215:500, len=92
2011-01-02 19:10:32 ike 2: comes 188.195.188.215:500->80.19.191.189:500,ifindex=14....
2011-01-02 19:10:32 ike 2: IKEv1 exchange=Informational id=78bd6d0b4f34568b/79226ef04d7f1790:d5e9c69d len=92
2011-01-02 19:10:32 ike 2: found 188.195.188.215 80.19.191.189 14 -> 188.195.188.215:500
2011-01-02 19:10:32 ike 2:188.195.188.215:592: notify msg received: R-U-THERE-ACK
diag debu di2011-01-02 19:10:37 ike 2:188.195.188.215:592: send IKEv1 DPD probe, seqno 537
2011-01-02 19:10:37 ike 2:188.195.188.215:592: sent IKE msg (R-U-THERE): 80.19.191.189:500->188.195.188.215:500, len=92
2011-01-02 19:10:37 ike 2: comes 188.195.188.215:500->80.19.191.189:500,ifindex=14....
2011-01-02 19:10:37 ike 2: IKEv1 exchange=Informational id=78bd6d0b4f34568b/79226ef04d7f1790:49ddaab4 len=92
2011-01-02 19:10:37 ike 2: found 188.195.188.215 80.19.191.189 14 -> 188.195.188.215:500
2011-01-02 19:10:37 ike 2:188.195.188.215:592: notify msg received: R-U-THERE-ACK
Cisco ASA shows that.
Jan 02 18:20:19 [IKEv1]: IP = 80.190.191.189, IKE_DECODE RECEIVED Message (msgid=262186a9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, processing hash payload
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, processing notify payload
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, Received keep-alive of type DPD R-U-THERE (seq number 0x1be)
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x1be)
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, constructing blank hash payload
Jan 02 18:20:19 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, constructing qm hash payload
Jan 02 18:20:19 [IKEv1]: IP = 80.190.191.189, IKE_DECODE SENDING Message (msgid=eb657dd6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 02 18:20:24 [IKEv1]: IP = 80.190.191.189, IKE_DECODE RECEIVED Message (msgid=9f2feb84) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, processing hash payload
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, processing notify payload
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, Received keep-alive of type DPD R-U-THERE (seq number 0x1bf)
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x1bf)
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, constructing blank hash payload
Jan 02 18:20:24 [IKEv1 DEBUG]: Group = 80.190.191.189, IP = 80.190.191.189, constructing qm hash payload
So, can somebody help me how to find the problem please? I already have changed DH groups, Main to Aggressive mode and so on and so on... same result all the time.
Hope sombody can help me.
If required, I can provide a full configuration set from both devides.
Maybe somebody has a tutorial which describes the complete diagnose command set on CLI so I will find help in this way. That' s the only thing I miss a manual from fortinet.
thanks in advance.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Things to check
Have you validated FWpolicy from both sides?
Are you defining the left & right subnets on the FGT to match the ASA?
Are you using interface or policy mode, and if the former, do you have a static route point for the remote-network(s) and your using your defined phase1 interface?
For starters, what does you fgt diagnose vpn shows?
e.g
diag vpn tunnel list
Do spi matches the cisco ASA
e.g
sh crypto ipsec sa peer " fgt-peer-address"
How does a packet trace from the cisco show?
e.g
packet input " lan-interface " tcp " src_address" " src_port" " dst_net" " dst_port" det
You want to ensure it shows encrypt at the action and does not fail
e.g ( reduce output from a cisco packet trace )
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xdbe2ea48, prio
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I have tried all what you told me. Traffic flow on ASA is fine and encrypted.
I have changed the configuration to be as simple as pissible with DES and SHA1 and so on without any luck yet. I attach a file with some output from both devices. maybe somebody have a great idea. I' m frustrated and also have tried is with a dedicated blank FG without more sucess. Tried NAT-T (no NAT router between both devices and the internet)... HELP!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the tunnel seems to be up as the Cisco receives and answeres R-U-THERE (keepalive) packets from the FG. You should be able to see the UP status in the FG VPN IPSec monitor.
What seems strange to me is that you run in Main mode but towards a dynamic gateway (berlin.company.net is resolved via DNS). So, the gateway IP cannot be part of the identity exchange. In similar scenarios I use aggressive mode and the exchange of local ID/peer ID.
There are excellent examples of site-to-site VPNs with dynamic gateways in the FortiOS Handbook (new, for 4.00MR2) and, to a lesser extent, the IPSec VPN Guide.
OTOH, if the tunnel is up and no traffic flowing, then there must be something wrong with the policy. As the FG policy is simple to check, have you had a look at the Cisco policy (ACL?)? Tunnel control traffic is separate from payload traffic.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Q:for pfs, is the default on the ASA group 2
reference: crypto map outside_map0 1 set pfs
I want to say it is, but I would hard set on the cisco to group2. if that doesn' t make a difference, than I would say to review your policies on the FGT for interface internal and internal2.
On main vrs agressive mode, with dyn-dns, I' ve had no problems using Main-mode on my FGT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to switch from Main- to Aggressive mode and also played arround with DH group without any success. Also played around with NAT-T.
I can see in the IPSec Monitor that this tunnel is up but an RX and TX is just can see 0 and 0. Thats frustrating. Even when only the ACK will flow, that should be enought to cound some bits.
Has somebody one more helpful idea?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OTOH, if the tunnel is up and no traffic flowing, then there must be something wrong with the policy. As the FG policy is simple to check, have you had a look at the Cisco policy (ACL?)? Tunnel control traffic is separate from payload traffic.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you defined the tunnel in interface mode, you will need to create a matching static route for all the tunnel traffic. From a workstation, run a traceroute and see where your traffic ends up going.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but it' s policy based and for that there is no use for a static route as far as I know.
Just Phase1 and Phase2 with a firewall policy with action = IPSec from inside to outside and service ANY.
I would love to have mure debugging details at this time.
Problem is that I can not fine any packet drops (Cisco monitring and Fortinet) don' t show me any packet blockings from an ACL or firewall policy. frustrating.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Personally, I would dump the policy mode tunnel and switch to interfaced based. This way you have control over the routing and such. The ' FortiMagic' routing doesn' t always work as desired, and leaves you with your a** in the wind...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Labels
-
FortiGate
9,861 -
FortiClient
2,009 -
FortiManager
837 -
5.2
801 -
FortiAnalyzer
647 -
5.4
639 -
FortiSwitch
542 -
FortiAP
527 -
FortiClient EMS
506 -
6.0
416 -
5.6
362 -
FortiMail
357 -
SSL-VPN
331 -
IPsec
326 -
6.2
251 -
FortiNAC
244 -
FortiAuthenticator v5.5
234 -
FortiWeb
234 -
5.0
196 -
SD-WAN
164 -
FortiGuard
155 -
FortiAuthenticator
146 -
6.4
128 -
Firewall policy
120 -
FortiGateCloud
112 -
FortiSIEM
109 -
FortiCloud Products
108 -
FortiToken
103 -
Wireless Controller
91 -
Customer Service
85 -
FortiGate-VM
80 -
High Availability
76 -
FortiProxy
73 -
ZTNA
69 -
FortiEDR
65 -
VLAN
65 -
4.0MR3
64 -
Fortivoice
64 -
DNS
62 -
Routing
61 -
FortiADC
60 -
SAML
59 -
Authentication
56 -
radius
55 -
BGP
55 -
Certificate
54 -
FortiSandbox
51 -
LDAP
50 -
NAT
49 -
FortiExtender
47 -
SSO
47 -
FortiDNS
43 -
FortiLink
42 -
VDOM
39 -
FortiGate v5.4
37 -
Application control
37 -
Interface
36 -
Logging
36 -
FortiSwitch v6.4
35 -
FortiConnect
34 -
FortiWAN
31 -
Virtual IP
31 -
Web profile
30 -
FortiPAM
29 -
FortiConverter
28 -
FortiGate v5.2
27 -
SSL SSH inspection
25 -
Traffic shaping
24 -
Automation
24 -
FortiPortal
23 -
Static route
23 -
FortiGate Cloud
22 -
SSID
22 -
FortiSwitch v6.2
20 -
SNMP
20 -
FortiMonitor
19 -
WAN optimization
19 -
API
18 -
OSPF
17 -
System settings
17 -
Web application firewall profile
16 -
FortiDDoS
15 -
Admin
15 -
Security profile
15 -
FortiAP profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
IPS signature
14 -
Proxy policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Explicit proxy
12 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Port policy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Users
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
FortiAnalyzer v5.0
9 -
RMA Information and Announcements
9 -
DNS filter
9 -
trunk
9 -
Fortinet Engage Partner Program
9 -
FortiCache
8 -
Antivirus profile
8 -
4.0
7 -
Application signature
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2338 | |
| 1269 | |
| 776 | |
| 466 | |
| 454 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.