Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
billykaka
New Contributor

debug Phase 2 selectors

Hello, I am troubleshooting a VPN with the other party is a Cisco ASA.

I would like to know the exact format of the Phase 2 selectors/Encryption Id's/Proxy Id being sent to us by the Cisco ASA

 

I have tried the following commands to debug IKE

 

diagnose debug disable diagnose vpn ike log-filter clear diagnose vpn ike log-filter dst-addr4 <Peer IP Address) diagnose debug app ike 255 diagnose debug enable

 

diagnose debug disable

diagnose debug reset

diag vpn ike log filter name <phase1-name> diag debug app ike -1 diag debug enable

 

 

However my debug output does not show a phase 2 selector/encryption domain/proxy id.

 

What am I doing wrong and how can i get the debug to show me the selector/encryption domain/proxy id's being sent to us by the cisco asa

 

Thank you

2 REPLIES 2
samsonmartinez
New Contributor

Hello,

 

Were you ever able to figure this out? I'm trying to get the same data but all I can see is the selectors I am sending ...

 

Thanks!

 

-Samson

emnoc
Esteemed Contributor III

Your debugging IKE which is not going to carry  PH2 ipsec-sa information. I never had to debug  IPSEC-SA btw, just make sure you and the cisco are matching and no  quad 0s { 0.0.0.0/0:0 }

 

Does the ASA show ESP errors, that's a sign of mis-matched  proxy-ids btw

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors