Hi @quynhln8 ,
I can see that in the phase2 you have configured lifetime 3600 on the ForiGate side but on the Cisco I do not see it (default should be 28800 if I remember correctly).
You can run the following debug to find out why the phase2 is not coming up:
diagnose vpn ike log-filter dst-addr4 <remote-peer-IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable
Note: Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
The following articles might help:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955
Best regards,
in Cisco RT, I show crypto map, life-time is 3600
Hi @quynhln8 ,
Thank you for confirming it.
Please run the debug I suggested you in my previous message, it should highlight if there is any mismatch in the IPsec config.
Best regards,
This is debug follow your guide, do you see any error anywhere
I dont know how to insert .txt file
https://drive.google.com/file/d/1DqA6JIPThL791e4tUiP1HkQFMTJ-ZvWt/view?usp=drive_link
Created on 05-29-2024 07:08 AM Edited on 05-29-2024 07:53 AM
Hi @quynhln8 ,
It looks like that the Cisco is not choosing a proposals for some reason, then it sends a notification to the FGT and the FGT deletes the corresponding phase 2 Security Parameter Index. Phase 2 negotiation then restarts again:
2024-05-29 17:19:20.066987 ike 0:ABCDEFGH:159258: notify msg received: NO-PROPOSAL-CHOSEN
2024-05-29 17:19:20.067013 ike 0:ABCDEFGH:159258:ABCDEFGH:2762615: IPsec SPI 52416064 match
2024-05-29 17:19:20.067019 ike 0:ABCDEFGH:159258:ABCDEFGH:2762615: delete phase2 SPI 52416064
Please try to choose a different proposal and check if the anti-reply is also enabled on the Cisco side (if available).
https://community.fortinet.com/t5/FortiGate/Technical-Note-Explaining-IPSEC-Anti-replay-and-preventi...
Once done, please launch the debug commands again and then reset the IPsec tunnel on both ends, so you can see the whole phase1/phase2 negotiation outputs in the debug (you can use "diagnose debug application ike 255" instead of -1).
Also on phase2 config on the FortiGate side you configured 172.16.0.0/16 and on the Cisco side you configured 172.16.40.0/24 and 172.16.44.0/24.
Can you try to configure two separate phase2 selectors on the FortiGate side as well, please.
You may find the below old post useful:
https://community.fortinet.com/t5/Support-Forum/Site-to-site-VPN-Fortigate-5-4-and-Cisco-NO-PROPOSAL...
Best regards,
thank you @fricci_FTNT
so done
I change proposal and IP, It work
Created on 05-30-2024 04:38 AM Edited on 05-30-2024 04:38 AM
Hi @quynhln8,
That is great news, you are welcome.
If you could mark the answer that helped you as "solution", it would be great so users with a similar issue can quickly help themselves just going directly to the solution.
Have great day!
Best regards,
Hi @quynhln8 ,
Based on the description, you see phase 1 is up but phase 2 is down on FortiGate?
Did you try disabling PFS on FortiGate and flush the tunnel?
The thing is FGT display phase1 up, phase2 down, but when show VPN event, phase2 success, phase1 error. This problem is very confusing
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.