Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
quynhln8
New Contributor II

help to VPN between FGT & cisco

I set VPN between FGT v6.4 & Cisco2911

on FW display phase1 done but phase2 down

so when I check event VPN, result is phase 1 error

On cisco, status is UP-IDLE

for some reason, I had to hide the information 

look forward to the help

 

RT config.pngshow crypto RT.pngnetwork.pngauthen.pngphase-1.pngphase-2.pngVPN event.pngdiag FW.png

 

 

 

 

 

      

12 REPLIES 12
fricci_FTNT

Hi @quynhln8 ,

Have you run the command below as previously suggested? Have you spotted any mismatch?

diagnose vpn ike log-filter dst-addr4 <remote-peer-IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

Note: Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.


If you can, please paste its output here. If you cannot paste it, I would suggest you to open a ticket with our support so this issue can be properly investigated.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
rvillaroman
Staff
Staff

Hi @quynhln8,

 

It shows that they have different phase2-selectors; kindly match their phase2-selector and do not add it at once as the SPI will be different.

 

Kindly see this document for further information.

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/666100/ipsec-vpn-between-a-f...

rvillaroman
quynhln8
New Contributor II

tks every one, it's already working

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors