Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

VPN not working after update firmware

After I update firmware my VPN not working, following is my scenario FGT 100A 3.0 build 0477 operation mode NAT FGT 50A 3.0 build 0406 operation mode Transparent VPN connecting from FGT 50A to FGT 100A Is it need any config. changes
17 REPLIES 17
rwpatterson
Valued Contributor III

Which one(s) did you update, and from what release(s)?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

both FGT updated from factory default to 2.8 MR11 then 3.0
Not applicable

Hi Sabuthomas, Please read the release notes on MR4. Regards, Eric
Not applicable

Hi.... I' v been doing this too and the VPN wouldn' t work, maybe you should configure it from the scratch....by the way i also got problem with protection profiles and they don' t work too. I think it always problem if we upgraded from v2.8 MR11 to v3.0. I do not know why? Maybe others can give an answer?
Not applicable

My remote peer getting following error, Negotiate SA Error: No matching gateway for new phase 1 request My remote FGT config as follows Operation Mode: NAT Firmware Fortigate-100A 3.00,build0477,070126 My other end FGT config as follows Operation Mode Transparent Firmware Fortigate-50A 3.00,build0400 If I downgrade to 2.8 MR11 on FGT100A then my VPN is working fine. Anybody have any such experiance please help me
rwpatterson
Valued Contributor III

Just a question. Have you tried MR3 patch 6 on the 100A? Im curious if it is an MR4 thing, or a non MR2 issue. Fortinet rewrote the IPSec section of their firmware between 2.8 and 3.0.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com

I did not tried in MR3, 100A is on MR4 When I downgrading to 2.8 MR11 then it is working fine, eventhough my 50A on 3.00 build 400
Paul_Dean
Contributor

Hi Sabuthomas, I had the same problem when I upgraded a 50A to version 3 firmware from 2.8. The problem I had was caused by the 50A sending out IPSEC packets using the source IP of a secondary IP address and not the primary IP of the main interface. I verified this by using debug commands in the cli. diagnose debug application ike 3 diagnose debug enable You can see the IPSEC Phase1 initial request coming into the firewall from the remote end and the source IP was different to the one it was supposed to use. This might not be your problem however and I would agree with ATA and delete the entire vpn config and start again which will most likely work. Cheers Paul
NSE4
NSE4
Not applicable

A very strange thing which I found is that, as per my following scenario Main Office FGT100A NAT Mode Branch office FGT50A Tranparent Mode Ver 3.00 build 400 My VPN will work fine if I downgrade my main office to 2.8 MR11 without changing any configuration in VPN in both end But when I upgrade my main office to 3.0 MR4 then my VPN failed and I received error massage “Negotiate SA Error: No matching gateway for new phase 1 request.” In my main office FGT and no error message in my branch office FGT
Labels
Top Kudoed Authors