Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
quynhln8
New Contributor II

Created on ‎05-26-2024 11:04 PM

help to VPN between FGT & cisco

I set VPN between FGT v6.4 & Cisco2911

on FW display phase1 done but phase2 down

so when I check event VPN, result is phase 1 error

On cisco, status is UP-IDLE

for some reason, I had to hide the information 

look forward to the help

 

RT config.pngshow crypto RT.pngnetwork.pngauthen.pngphase-1.pngphase-2.pngVPN event.pngdiag FW.png

 

 

 

 

 

      

Labels:
621
0 Kudos
12 REPLIES 12
fricci_FTNT
Staff
Staff

Created on ‎05-27-2024 02:08 AM Edited on ‎05-27-2024 02:09 AM

Hi @quynhln8 ,

 

I can see that in the phase2 you have configured lifetime 3600 on the ForiGate side but on the Cisco I do not see it (default should be 28800 if I remember correctly).

You can run the following debug to find out why the phase2 is not coming up:

diagnose vpn ike log-filter dst-addr4 <remote-peer-IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

Note: Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

The following articles might help:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
459
quynhln8
New Contributor II
In response to fricci_FTNT

Created on ‎05-27-2024 03:29 AM

in Cisco RT, I show crypto map, life-time is 3600

444
0 Kudos
fricci_FTNT
Staff
Staff

Created on ‎05-27-2024 04:06 AM

Hi @quynhln8 ,

 

Thank you for confirming it.
Please run the debug I suggested you in my previous message, it should highlight if there is any mismatch in the IPsec config.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
434
quynhln8
New Contributor II
In response to fricci_FTNT

Created on ‎05-29-2024 03:34 AM

This is debug follow your guide, do you see any error anywhere
I dont know how to insert .txt file
https://drive.google.com/file/d/1DqA6JIPThL791e4tUiP1HkQFMTJ-ZvWt/view?usp=drive_link

339
0 Kudos
fricci_FTNT
Staff
Staff
In response to quynhln8

Created on ‎05-29-2024 07:08 AM Edited on ‎05-29-2024 07:53 AM

Hi @quynhln8 ,

 

It looks like that the Cisco is not choosing a proposals for some reason, then it sends a notification to the FGT and the FGT deletes the corresponding phase 2 Security Parameter Index. Phase 2 negotiation then restarts again:


2024-05-29 17:19:20.066987 ike 0:ABCDEFGH:159258: notify msg received: NO-PROPOSAL-CHOSEN
2024-05-29 17:19:20.067013 ike 0:ABCDEFGH:159258:ABCDEFGH:2762615: IPsec SPI 52416064 match
2024-05-29 17:19:20.067019 ike 0:ABCDEFGH:159258:ABCDEFGH:2762615: delete phase2 SPI 52416064

Please try to choose a different proposal and check if the anti-reply is also enabled on the Cisco side (if available).
https://community.fortinet.com/t5/FortiGate/Technical-Note-Explaining-IPSEC-Anti-replay-and-preventi...
Once done, please launch the debug commands again and then reset the IPsec tunnel on both ends, so you can see the whole phase1/phase2 negotiation outputs in the debug (you can use "diagnose debug application ike 255" instead of -1).

 

Also on phase2 config on the FortiGate side you configured 172.16.0.0/16 and on the Cisco side you configured 172.16.40.0/24 and 172.16.44.0/24.

Can you try to configure two separate phase2 selectors on the FortiGate side as well, please.


You may find the below old post useful:
https://community.fortinet.com/t5/Support-Forum/Site-to-site-VPN-Fortigate-5-4-and-Cisco-NO-PROPOSAL...

 

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
308
quynhln8
New Contributor II
In response to fricci_FTNT

Created on ‎05-29-2024 08:23 PM

thank you @fricci_FTNT 
so done

I change proposal and IP, It work 

280
fricci_FTNT
Staff
Staff
In response to quynhln8

Created on ‎05-30-2024 04:38 AM Edited on ‎05-30-2024 04:38 AM

Hi @quynhln8,

That is great news, you are welcome.
If you could mark the answer that helped you as "solution", it would be great so users with a similar issue can quickly help themselves just going directly to the solution.

Have great day!

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
256
0 Kudos
achu
Staff
Staff

Created on ‎05-28-2024 10:42 PM

Hi @quynhln8 ,

 

Based on the description, you see phase 1 is up but phase 2 is down on FortiGate?

Did you try disabling PFS on FortiGate and flush the tunnel? 

378
quynhln8
New Contributor II
In response to achu

Created on ‎05-29-2024 02:31 AM

The thing is FGT display phase1 up, phase2 down, but when show VPN event, phase2 success, phase1 error. This problem is very confusing

348
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.