I am having the same issues with a fortinet 60D at a remote office and a Palo Alto 5020 at the head end. I manage both of the devices so can view the logs. The logs on both the Fortinet and Palo show errors spi not matching. The VPN tunnels on both devices will show up but no traffic is passing. To fix the issue I have been clearing the phase1 and phase2 connections on the Palo. Clear vpn ipsec-sa tunnel clear vpn ike-sa gateway. Downing the VPN tunnel on the fortinet does not work. The settings on the two firewalls match up.
What version of code for Forti and Palo? I recall some bug issues in PAN0S 5.0-9 regarding VPN issues iirc. Curious to see what your running. On the clearing , the SPIs hasn't properly cleared so one side is probably maintaining countdown timer that does not match.
Also are you using rt-based vpn for both devices?
PCNSE
NSE
StrongSwan
The fortinet is running 5.0.11 and the Palo is 6.0.6. All the VPNs are route based VPNs. I am using address objects for the phase2 networks since I have 3 different destination networks behind the palo. I have auto keep alive setup on phase2 also.
Also be sure to double-check your Replay Detection settings. I had this issue with a VPN tunnel to a Watchguard unit which implicitly enabled Replay Detection until I enabled Replay Detection on our end and bounced the tunnel.
I compared the settings on the two devices and one side had replay protection enabled and the other did not. Once I enabled replay protection the device that did not have it the tunnel came back online.
I got same error on my debug and tried several changes. And read prior comments on this forum. After we changed Exchange mode setting from auto to main on palo alto firewall. Also remove ticks from Phase 2 settings auto keepalive and auto negotiate on fortigate. At last tunnel established.
Hi Everyone,
I am specifically making this post to inform you that I have been occurring the same problem with client Fortigate 100D and other client Palo Alto 850. For me checking the boxes for Auto-Negotiate and Auto Keep-Alive and changing the P1 mode to aggressive on both sides (Fortigate and Palo Alto) resolved the issue. VPN was up and it is still up but the traffic in the tunnel finally goes through.
Kind Regards, Mino.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.