Dear experts, good day, I am a novice in this topic of fortigate but the time has come to start venturing, I have a fortigate 60E and at the other end a fortigate 500D, I have created a VPN that was working until a few days ago, looking on the internet and looking for info about VPN troubleshooting, I managed to get this info, but I can't tell what the problem might be because the VPN doesn't lift If you could give me a hand with your experience. I am attaching the Log since it is long to see if they help me understand it Greetings and thanks
arfw1 # ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: out C22ECAAF6091315F637FA56493D4B45D05100201000000000000008CFCB861D0D1F7C802E20C113463EE39144EC3006F7F622F376A62DC237B69199DDF45062F98322FC023E3E88B3819ECEFCF50E191CE2F04C4A52238396B9E632339FF642B78A830925EA4FF637506555F8E59F8D5EB8B90A37531E5303A7620C5E821B751F186FD7588165EEA2D6F2928 ike 0:VPN-MZA-1:116: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=c22ecaaf6091315f/637fa56493d4b45d ike shrank heap by 126976 bytes ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: out C22ECAAF6091315F637FA56493D4B45D05100201000000000000008CFCB861D0D1F7C802E20C113463EE39144EC3006F7F622F376A62DC237B69199DDF45062F98322FC023E3E88B3819ECEFCF50E191CE2F04C4A52238396B9E632339FF642B78A830925EA4FF637506555F8E59F8D5EB8B90A37531E5303A7620C5E821B751F186FD7588165EEA2D6F2928 ike 0:VPN-MZA-1:116: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=c22ecaaf6091315f/637fa56493d4b45d ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: negotiation timeout, deleting ike 0:VPN-MZA-1: connection expiring due to phase1 down ike 0:VPN-MZA-1: deleting ike 0:VPN-MZA-1: deleted ike 0:VPN-MZA-1: schedule auto-negotiate ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: created connection: 0x55355c8 5 172.16.10.75->190.113.131.138:500. ike 0:VPN-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:500 negotiating ike 0:VPN-MZA-1: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation ike 0:VPN-MZA-1:117: initiator: main mode is sending 1st message... ike 0:VPN-MZA-1:117: cookie 737a14aaf98c2c84/0000000000000000 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8400000000000000000110020000000000000001380D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D000014A58FEC5036F57B21E8B499E336C76EE60D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:VPN-MZA-1:117: sent IKE msg (ident_i1send): 172.16.10.75:500->190.113.131.138:500, len=312, id=737a14aaf98c2c84/0000000000000000 ike 0: comes 190.113.131.138:500->172.16.10.75:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=737a14aaf98c2c84/74954e44c7f4d6eb len=212 ike 0: in 737A14AAF98C2C8474954E44C7F4D6EB0110020000000000000000D40D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014A58FEC5036F57B21E8B499E336C76EE6 ike 0:VPN-MZA-1:117: initiator: main mode get 1st response... ike 0:VPN-MZA-1:117: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:VPN-MZA-1:117: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:VPN-MZA-1:117: DPD negotiated ike 0:VPN-MZA-1:117: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:VPN-MZA-1:117: peer is FortiGate/FortiOS (v0 b0) ike 0:VPN-MZA-1:117: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:VPN-MZA-1:117: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:VPN-MZA-1:117: VID Fortinet Exchange Interface IP A58FEC5036F57B21E8B499E336C76EE6 ike 0:VPN-MZA-1:117: selected NAT-T version: RFC 3947 ike 0:VPN-MZA-1:117: negotiation result ike 0:VPN-MZA-1:117: proposal id = 1: ike 0:VPN-MZA-1:117: protocol id = ISAKMP: ike 0:VPN-MZA-1:117: trans_id = KEY_IKE. ike 0:VPN-MZA-1:117: encapsulation = IKE/none ike 0:VPN-MZA-1:117: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:VPN-MZA-1:117: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:VPN-MZA-1:117: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:VPN-MZA-1:117: type=OAKLEY_GROUP, val=MODP1536. ike 0:VPN-MZA-1:117: ISAKMP SA lifetime=86400 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB04100200000000000000013C0A0000C49784E4983377930601381D149A32A72F8AE06A9C2DF6E153C683142A2F4EB5D68D980F6E0CA2EBD12BB2C3E88765AD28E0E4FC18301D6AF9AFA0582469932D095910E14A0D4CE0C104920C8EEA42C8C3E7A1F722328A9298F7377C34EDAED64C1D76500F2200653C04C8EFA8909AA0C5B276A783BCDB30464DF6F3BCA9133C7A5BA1FCCD7F0ADFD644BE7C9535B6AD4EE7F638311D8A58FB2EE7F63310B8727974861B68FBE96921E3C0184F04D63D5FDB7A1EC6A8BBB3FD3E84EA5CBDE3D5EB14000014907A541C19F2E8F026B05A34CC920B0514000024D4A6CE755AB3563FB059C6C2F273B0CEB72FD898BC51A95ED4953D421057A8220000002422FA3626FC737721C872B289BC24DB8DE6F5A6E3545440508953BF31DBCD5343 ike 0:VPN-MZA-1:117: sent IKE msg (ident_i2send): 172.16.10.75:500->190.113.131.138:500, len=316, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0: comes 190.113.131.138:500->172.16.10.75:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=737a14aaf98c2c84/74954e44c7f4d6eb len=316 ike 0: in 737A14AAF98C2C8474954E44C7F4D6EB04100200000000000000013C0A0000C4567DBF7D2E5F8530A47B76BE21E42BD11580BC6070B7E3EA5900977A2AD84CA080B00C2ED06E48120F6E3AF061991DCBA45A15A8F08F9BEBB41153DCB8D65FBFE9CED66608F95961DA7167B5272E7982344875443CF2F201E4933888A097A286C635D1C26F4683E64DE61B27B6A94E2BFDAF8995DD01B6661BD0F24A8F5D12D8D9CDC65C5C18723E31B9C47651A44EFD59CFF86206DCF6D750B9AE9037F9E6B2D8914274E533F81920EE1A8367A29FCA8269D2D606A3925858824C5CEF4E0EB514000014459373421A07A131A5147E18CB10D5B514000024EF1363B8D855A7DFDD3EF5B631646FA6A70C1AA2EB118DEFDE3480746D64C75900000024D4A6CE755AB3563FB059C6C2F273B0CEB72FD898BC51A95ED4953D421057A822 ike 0:VPN-MZA-1:117: initiator: main mode get 2nd response... ike 0:VPN-MZA-1:117: received NAT-D payload type 20 ike 0:VPN-MZA-1:117: received NAT-D payload type 20 ike 0:VPN-MZA-1:117: NAT detected: ME ike 0:VPN-MZA-1:117: NAT-T float port 4500 ike 0:VPN-MZA-1:117: ISAKMP SA 737a14aaf98c2c84/74954e44c7f4d6eb key 32:7F763E40793F77DADC83846EB5015385CB7257D7CFD769A9BBF6A92E91B17769 ike 0:VPN-MZA-1:117: add INITIAL-CONTACT ike 0:VPN-MZA-1:117: add INTERFACE-ADDR4 10.254.1.130 ike 0:VPN-MZA-1:117: enc 737A14AAF98C2C8474954E44C7F4D6EB0510020100000000000000880800000C01000000AC100A4B0B000024827902B883E5D90CABF28A135FB5C12A15C2EDE6FE47F5DAE8C14FFD4812C0DD0B00001C0000000101106002737A14AAF98C2C8474954E44C7F4D6EB000000200000000101107DF9737A14AAF98C2C8474954E44C7F4D6EB0AFE0182 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (ident_i3send): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I have a client that when this happens and I see, "connection expiring due to phase1 down"
I have them restart their modem (not the Fortigate) but I believe their issue is due to their ISP blocking something. I used to spend countless hours trying to figure out why the tunnel wouldn't come up and so I always start by having them reboot the modem from now on. It usually brings the tunnel back up. Not sure if this is your issue but worth a try.
Hi ,
There are some troubleshooting steps for this problem
no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495
Regards,
Looks like what happens when you have a misconfigured PPTP server and a client disconnects. PPTP server should never use a real assigned IP as its server IP.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.