Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: VPN Fortigate to ASA-5520 only up if FG300A i...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 06-30-2010 11:42 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Fortigate to ASA-5520 only up if FG300A is initiator
I have an IPSEC VPN tunel between a FG300A and a Cisco ASA-5520. It only stays up if the FG300A is the initiator. If the ASA-5520 is the initiator, it comes up for a few seconds and then renegotiates Phase 2 (interrupting the tunnel) over and over again.
If I Shut Down the VPN interface, it comes up with the FG300A as the initiator until the Phase 2 time out period elapses at which point the Cisco becomes the initiator and the problem recurs (with occasional errors logged re: Invalid SPI).
The tunnel uses Interface mode and NAT' s in both directions due to overlapping networks at each end.
I had to upgrade to v3.00 MR5 Patch7 and disable DPD on the FG300A just to get this far.
Any ideas????
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Not applicable
Created on 06-30-2010 12:22 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify: the tunnel only comes up if I Bring Down the VPN INTERFACE and then Bring Up System->Network->Interface->Port1.
It does not work if I Bring Down the tunnel and then Bring Up under VPN->IPSEC->Monitor because the remote peer becomes the Initiator.
How do I force the FG300A to ALWAYS be the initiator or ignore initiation from the remote peer?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the phase2 setup for the tunnel (from the CLI), enter
set auto-negotiate enableAlso check the phase2 selectors on both sides. The FGT may be a subset of the Cisco, which is why it works in one direction. The Cisco cannot open the connection because part of it' s phase2 range lies outside what the FGT will allow.... Just a thought. Good luck
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the latter question, you can specify on the ASA that it only answer, or originate or is bidirectional for establishments of connections
Have the ASA guys go into the ASA and edit your " crypto map statement"
e.g
here' s the options and example on how to set the ASA to answer only
configure mode commands/options:
answer-only Answer only
bidirectional Bidirectional
originate-only Originate only
crypto map HQ_to_800A01 110 set connection-type answer-only
Hope this helps.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent suggestions --- thank you both!
I' m still confused as to the root cause...If phases 1 and 2 pass when the FGT initiates the tunnel, doesn' t that mean that the relevant SA properties match and should therefore do so when the other side initiates it? I' ve confirmed thst the phase 2 ranges are identical.
So...I' m thinking the root cause is a bug or incompatibility related to how the FGT implements/parses/compares address groups for SA during phase 2 negotiation.
ANYWAY, I think preventing the ASA from iniating the tunnel will get around the problem (assuming the setting applies to re-negotiation of phase 2 as well), but I' m going to start with setting auto-negotiate to enable on the FGT to learn more about the behavior.
It seems like enabling auto-negotitate will improve the likelihood that the FGT re-negotiates first but not guarantee it. The phase 2 keylife on both sides is 28800 sec (8 hr) and renegotiation occurred after 6 hrs (I assume that is by design --- like DHCP renewal). If both sides use the same timing (75% keylife) there' s no guarantee the FGT will auto-negotiate before the ASA does (due to generated traffic). For all I know, the IPSEC standard itself may determine that roles are reversed (Responder vs Initiator) for renegotiation.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think with SA rengoiation timers either side can re-negotiate. the lessor of the time value is typically used in IKE ph1 negotiation and I think the same still holds true with the ph2 SA.
It' s still unclear to me as to what your trying to accomplish? If the ph2 SA timers count down, it will only recycle with a new SA as long as IKE ph1 is still establish.
Since SAs are uni-directional, and rely on a valid phase1 establishment, and upon termination of your phase1 SA, then any phase2 SA should magically be terminate as well.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I' ve always set Phase 2 < Phase 1 timer (otherwise there is no point in having an Phase 2 timer).
In any case, I' ll try setting Phase 1 < Phase 2 and see if that works around the problem.
NOTE: set auto-negotiate enable did not resolve it.
Log Messages (xxx.xxx.xxx.xxx is FGT peer IP) are below. You can see where they show " Initiator" for Main Main messages when the tunnel comes up inittaly, and " Responder" when renegotiating.
INITIAL TUNNEL
Responder: tunnel yyy.yyy.yyy.yyy, transform=ESP_3DES, HMAC_SHA1
Responder: parsed yyy.yyy.yyy.yyy quick mode message #2 (DONE)
Responder: tunnel xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy install ipsec sa
Responder: sent yyy.yyy.yyy.yyy quick mode message #1 (OK)
Initiator: tunnel yyy.yyy.yyy.yyy, transform=ESP_3DES, HMAC_SHA1
Initiator: sent yyy.yyy.yyy.yyy quick mode message #2 (DONE)
Initiator: tunnel xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy install ipsec sa
Responder: sent yyy.yyy.yyy.yyy quick mode message #1 (OK)
Initiator: sent yyy.yyy.yyy.yyy quick mode message #1 (OK)
Initiator: parsed yyy.yyy.yyy.yyy main mode message #3 (DONE)
Initiator: sent yyy.yyy.yyy.yyy main mode message #3 (OK)
Initiator: sent yyy.yyy.yyy.yyy main mode message #2 (OK)
Initiator: sent yyy.yyy.yyy.yyy main mode message #1 (OK)
PHASE 2 RENEGOTIATION (repeats indefinitely)
Received ESP packet with unknown SPI.
Deleted an IPsec SA on the tunnel to yyy.yyy.yyy.yyy:500
Responder: tunnel yyy.yyy.yyy.yyy, transform=ESP_3DES, HMAC_SHA1
Responder: parsed yyy.yyy.yyy.yyy quick mode message #2 (DONE)
Responder: tunnel xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy install ipsec sa
Responder: sent yyy.yyy.yyy.yyy quick mode message #1 (OK)
Responder: tunnel yyy.yyy.yyy.yyy, transform=ESP_3DES, HMAC_SHA1
Responder: parsed yyy.yyy.yyy.yyy quick mode message #2 (DONE)
Responder: tunnel xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy install ipsec sa
Responder: sent yyy.yyy.yyy.yyy quick mode message #1 (OK)
Responder: sent yyy.yyy.yyy.yyy main mode message #3 (DONE)
Responder: sent yyy.yyy.yyy.yyy main mode message #2 (OK)
Responder: sent yyy.yyy.yyy.yyy main mode message #1 (OK)
Deleted an Isakmp SA on the tunnel to yyy.yyy.yyy.yyy:500
Not applicable
Created on 07-01-2010 12:29 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This workaround seems to have worked!
I changed Phase 1 to Agressive Mode with key life 120 seconds and monitored connectivity and tunnel negotiations for 30 minutes or so before changing the key life to 14400 (permanently).
I still don' t understand why Phase 2 renegotiation never succeeeded but hours of testing everthing I can think of has made me less curious than usual... 
Anyway, thanks for all of the help!!
Anyway, thanks for all of the help!!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: johns99 If the ASA-5520 is the initiator, it comes up for a few seconds and then renegotiates Phase 2 (interrupting the tunnel) over and over again.The two sides may not be equal. Sometimes the responder adjusts the parameters to what the initiator has requested so the tunnel will come up. By comparing the responder debug log on each side you should be able to see what the differences are.
If phases 1 and 2 pass when the FGT initiates the tunnel, doesn' t that mean that the relevant SA properties match and should therefore do so when the other side initiates it?Between two Fortigate yes. With other routers no. FortiOS defaults and techniques prefer a hard set phase 2 quick mode selector. Many other router brands don' t work this way. They are set up to use 0.0.0.0 as the quick mode selector with the equivalent of “set selector-match subset†enabled. They will provide whatever quick mode selector your Fortigate wants but will typically accept anything as a quick mode selector. The firewall controls what traffic can pass.
So...I' m thinking the root cause is a bug or incompatibility related to how the FGT implements/parses/compares address groups for SA during phase 2 negotiation.If the Fortigate is refusing the connection then it will be detailed in the debug log. For some problems I' ve had to analyze days of debug logs to figure out the pattern.
ANYWAY, I think preventing the ASA from iniating the tunnel will get around the problem (assuming the setting applies to re-negotiation of phase 2 as well), but I' m going to start with setting auto-negotiate to enable on the FGT to learn more about the behavior.This shouldn' t work. Typically routers create a new SA rather than reusing an existing SA unless it matches exactly. Even if you force the tunnel up on the Fortigate the Cisco will probably want to create another when it wants to send something. I would expect a lot of connectivity problems.
The phase 2 keylife on both sides is 28800 sec (8 hr) and renegotiation occurred after 6 hrs (I assume that is by design --- like DHCP renewal).My Fortigate with FortiOS 3.0 to a Checkpoint renegotiates anywhere from 50-0 seconds from the end of the tunnel. Renegotiating seamlessly lets the existing tunnel expire and creates a new one. The Cisco may decide to create another tunnel because the one you forced up wasn' t a match.
ORIGINAL: emnoc … upon termination of your phase1 SA, then any phase2 SA should magically be terminate as well.The IPSec standard and FortiOS KB specifically state that phase 2 may continue after their phase 1 goes down. The phase 2 tunnels will stay up but any communication about them will require a new phase 1. However many routers do drop their phase 2 when the phase 1 goes down. Fortigate phase 2 will continue after the phase 1 expires unless the other router brings them down.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,683 -
FortiClient
1,756 -
5.2
801 -
FortiManager
727 -
5.4
639 -
FortiAnalyzer
556 -
FortiSwitch
474 -
FortiAP
470 -
FortiClient EMS
429 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
243 -
FortiAuthenticator v5.5
234 -
IPsec
208 -
FortiWeb
205 -
5.0
196 -
FortiNAC
188 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiGateCloud
102 -
FortiAuthenticator
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
91 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
Certificate
34 -
RADIUS
33 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiGate-VM
12 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1709 | |
| 1093 | |
| 752 | |
| 446 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.