Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mendocino
New Contributor

VPN IPsec Down, help

Dear experts, good day, I am a novice in this topic of fortigate but the time has come to start venturing, I have a fortigate 60E and at the other end a fortigate 500D, I have created a VPN that was working until a few days ago, looking on the internet and looking for info about VPN troubleshooting, I managed to get this info, but I can't tell what the problem might be because the VPN doesn't lift If you could give me a hand with your experience. I am attaching the Log since it is long to see if they help me understand it Greetings and thanks

 

arfw1 # ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: out C22ECAAF6091315F637FA56493D4B45D05100201000000000000008CFCB861D0D1F7C802E20C113463EE39144EC3006F7F622F376A62DC237B69199DDF45062F98322FC023E3E88B3819ECEFCF50E191CE2F04C4A52238396B9E632339FF642B78A830925EA4FF637506555F8E59F8D5EB8B90A37531E5303A7620C5E821B751F186FD7588165EEA2D6F2928 ike 0:VPN-MZA-1:116: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=c22ecaaf6091315f/637fa56493d4b45d ike shrank heap by 126976 bytes ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: out C22ECAAF6091315F637FA56493D4B45D05100201000000000000008CFCB861D0D1F7C802E20C113463EE39144EC3006F7F622F376A62DC237B69199DDF45062F98322FC023E3E88B3819ECEFCF50E191CE2F04C4A52238396B9E632339FF642B78A830925EA4FF637506555F8E59F8D5EB8B90A37531E5303A7620C5E821B751F186FD7588165EEA2D6F2928 ike 0:VPN-MZA-1:116: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=c22ecaaf6091315f/637fa56493d4b45d ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:116: negotiation timeout, deleting ike 0:VPN-MZA-1: connection expiring due to phase1 down ike 0:VPN-MZA-1: deleting ike 0:VPN-MZA-1: deleted ike 0:VPN-MZA-1: schedule auto-negotiate ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: created connection: 0x55355c8 5 172.16.10.75->190.113.131.138:500. ike 0:VPN-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:500 negotiating ike 0:VPN-MZA-1: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation ike 0:VPN-MZA-1:117: initiator: main mode is sending 1st message... ike 0:VPN-MZA-1:117: cookie 737a14aaf98c2c84/0000000000000000 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8400000000000000000110020000000000000001380D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D000014A58FEC5036F57B21E8B499E336C76EE60D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:VPN-MZA-1:117: sent IKE msg (ident_i1send): 172.16.10.75:500->190.113.131.138:500, len=312, id=737a14aaf98c2c84/0000000000000000 ike 0: comes 190.113.131.138:500->172.16.10.75:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=737a14aaf98c2c84/74954e44c7f4d6eb len=212 ike 0: in 737A14AAF98C2C8474954E44C7F4D6EB0110020000000000000000D40D00003C000000010000000100000030010100010000002801010000800B0001000C00040001518080010007800E01008003000180020004800400050D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC775701000D0000148299031757A36082C6A621DE000000000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C000000000000014A58FEC5036F57B21E8B499E336C76EE6 ike 0:VPN-MZA-1:117: initiator: main mode get 1st response... ike 0:VPN-MZA-1:117: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:VPN-MZA-1:117: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:VPN-MZA-1:117: DPD negotiated ike 0:VPN-MZA-1:117: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:VPN-MZA-1:117: peer is FortiGate/FortiOS (v0 b0) ike 0:VPN-MZA-1:117: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:VPN-MZA-1:117: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:VPN-MZA-1:117: VID Fortinet Exchange Interface IP A58FEC5036F57B21E8B499E336C76EE6 ike 0:VPN-MZA-1:117: selected NAT-T version: RFC 3947 ike 0:VPN-MZA-1:117: negotiation result ike 0:VPN-MZA-1:117: proposal id = 1: ike 0:VPN-MZA-1:117: protocol id = ISAKMP: ike 0:VPN-MZA-1:117: trans_id = KEY_IKE. ike 0:VPN-MZA-1:117: encapsulation = IKE/none ike 0:VPN-MZA-1:117: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=256 ike 0:VPN-MZA-1:117: type=OAKLEY_HASH_ALG, val=SHA2_256. ike 0:VPN-MZA-1:117: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:VPN-MZA-1:117: type=OAKLEY_GROUP, val=MODP1536. ike 0:VPN-MZA-1:117: ISAKMP SA lifetime=86400 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB04100200000000000000013C0A0000C49784E4983377930601381D149A32A72F8AE06A9C2DF6E153C683142A2F4EB5D68D980F6E0CA2EBD12BB2C3E88765AD28E0E4FC18301D6AF9AFA0582469932D095910E14A0D4CE0C104920C8EEA42C8C3E7A1F722328A9298F7377C34EDAED64C1D76500F2200653C04C8EFA8909AA0C5B276A783BCDB30464DF6F3BCA9133C7A5BA1FCCD7F0ADFD644BE7C9535B6AD4EE7F638311D8A58FB2EE7F63310B8727974861B68FBE96921E3C0184F04D63D5FDB7A1EC6A8BBB3FD3E84EA5CBDE3D5EB14000014907A541C19F2E8F026B05A34CC920B0514000024D4A6CE755AB3563FB059C6C2F273B0CEB72FD898BC51A95ED4953D421057A8220000002422FA3626FC737721C872B289BC24DB8DE6F5A6E3545440508953BF31DBCD5343 ike 0:VPN-MZA-1:117: sent IKE msg (ident_i2send): 172.16.10.75:500->190.113.131.138:500, len=316, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0: comes 190.113.131.138:500->172.16.10.75:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=737a14aaf98c2c84/74954e44c7f4d6eb len=316 ike 0: in 737A14AAF98C2C8474954E44C7F4D6EB04100200000000000000013C0A0000C4567DBF7D2E5F8530A47B76BE21E42BD11580BC6070B7E3EA5900977A2AD84CA080B00C2ED06E48120F6E3AF061991DCBA45A15A8F08F9BEBB41153DCB8D65FBFE9CED66608F95961DA7167B5272E7982344875443CF2F201E4933888A097A286C635D1C26F4683E64DE61B27B6A94E2BFDAF8995DD01B6661BD0F24A8F5D12D8D9CDC65C5C18723E31B9C47651A44EFD59CFF86206DCF6D750B9AE9037F9E6B2D8914274E533F81920EE1A8367A29FCA8269D2D606A3925858824C5CEF4E0EB514000014459373421A07A131A5147E18CB10D5B514000024EF1363B8D855A7DFDD3EF5B631646FA6A70C1AA2EB118DEFDE3480746D64C75900000024D4A6CE755AB3563FB059C6C2F273B0CEB72FD898BC51A95ED4953D421057A822 ike 0:VPN-MZA-1:117: initiator: main mode get 2nd response... ike 0:VPN-MZA-1:117: received NAT-D payload type 20 ike 0:VPN-MZA-1:117: received NAT-D payload type 20 ike 0:VPN-MZA-1:117: NAT detected: ME ike 0:VPN-MZA-1:117: NAT-T float port 4500 ike 0:VPN-MZA-1:117: ISAKMP SA 737a14aaf98c2c84/74954e44c7f4d6eb key 32:7F763E40793F77DADC83846EB5015385CB7257D7CFD769A9BBF6A92E91B17769 ike 0:VPN-MZA-1:117: add INITIAL-CONTACT ike 0:VPN-MZA-1:117: add INTERFACE-ADDR4 10.254.1.130 ike 0:VPN-MZA-1:117: enc 737A14AAF98C2C8474954E44C7F4D6EB0510020100000000000000880800000C01000000AC100A4B0B000024827902B883E5D90CABF28A135FB5C12A15C2EDE6FE47F5DAE8C14FFD4812C0DD0B00001C0000000101106002737A14AAF98C2C8474954E44C7F4D6EB000000200000000101107DF9737A14AAF98C2C8474954E44C7F4D6EB0AFE0182 ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (ident_i3send): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found ike 0:VPN-MZA-1: request is on the queue ike 0:VPN-MZA-1:117: out 737A14AAF98C2C8474954E44C7F4D6EB05100201000000000000008C6A4A2B048A32EF0F5BBA40E3CD2066222076E3F123A295DF9A3517F2E16A378F33B4EB7CC41DD09752A6666302E6765B01F5E596764678F7DC41CF78D99774B93F55AD3764FE570D243488E3AB03223DD04974B6846703B34A8F64A21ED83361FCB27A549C6F59B4593037FF7DF3F30E ike 0:VPN-MZA-1:117: sent IKE msg (P1_RETRANSMIT): 172.16.10.75:4500->190.113.131.138:4500, len=140, id=737a14aaf98c2c84/74954e44c7f4d6eb ike 0:VPN-MZA-1:VPN-P2-MZA-1: IPsec SA connect 5 172.16.10.75->190.113.131.138:0 ike 0:VPN-MZA-1:VPN-P2-MZA-1: using existing connection ike 0:VPN-MZA-1:VPN-P2-MZA-1: config found

3 REPLIES 3
TheBovice
New Contributor

I have a client that when this happens and I see, "connection expiring due to phase1 down"

 

I have them restart their modem (not the Fortigate) but I believe their issue is due to their ISP blocking something. I used to spend countless hours trying to figure out why the tunnel wouldn't come up and so I always start by having them reboot the modem from now on. It usually brings the tunnel back up. Not sure if this is your issue but worth a try.

Ashik_Sheik

Hi ,

There are some troubleshooting steps for this problem 

no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/168495  

 

Regards,

Ashu 

 

Ashu
AlexAlex77
New Contributor

Looks like what happens when you have a misconfigured PPTP server and a client disconnects. PPTP server should never use a real assigned IP as its server IP.

Labels
Top Kudoed Authors