Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smclover
New Contributor

negotiation timeout,

Dear All, 

 

I was trying to setup VPN IPsec between Fortigate and SRX, but it didn't work at all.. 

 

I got the IPSec logs from Fortigate,  and found this 

ike 0:VPN-GW:225: sent IKE msg (ident_r1send): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739 ike 0:VPN-GW:224: negotiation timeout, deleting

 

it looks  it has tried to send reply of 1st message, but it failed for some reason, 

i'm not 100% sure if it's correct, 

 

Do you have any idea how i can troubleshoot this case and if there's any other reason why negotiation failed ? 

 

ike 0:20c4aa949a69745e/0000000000000000:221: responder: main mode get 1st message...

ike 0:20c4aa949a69745e/0000000000000000:221: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:20c4aa949a69745e/0000000000000000:221: VID unknown (16): AFCAD71368A1F1C96B8696FC77570100
ike 0:20c4aa949a69745e/0000000000000000:221: VID unknown (16): AFCAD71368A1F1C96B8696FC77570100
ike 0:20c4aa949a69745e/0000000000000000:221: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:20c4aa949a69745e/0000000000000000:221: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:20c4aa949a69745e/0000000000000000:221: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:20c4aa949a69745e/0000000000000000:221: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:20c4aa949a69745e/0000000000000000:221: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:20c4aa949a69745e/0000000000000000:221: VID unknown (28): 4A131C81070358455C5728F20E95452F
ike 0:20c4aa949a69745e/0000000000000000:221: negotiation result
ike 0:20c4aa949a69745e/0000000000000000:221: proposal id = 1:
ike 0:20c4aa949a69745e/0000000000000000:221: protocol id = ISAKMP:
ike 0:20c4aa949a69745e/0000000000000000:221: trans_id = KEY_IKE.
ike 0:20c4aa949a69745e/0000000000000000:221: encapsulation = IKE/none
ike 0:20c4aa949a69745e/0000000000000000:221: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:20c4aa949a69745e/0000000000000000:221: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:20c4aa949a69745e/0000000000000000:221: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:20c4aa949a69745e/0000000000000000:221: type=OAKLEY_GROUP, val=MODP1536.
ike 0:20c4aa949a69745e/0000000000000000:221: ISAKMP SA lifetime=28800
ike 0:20c4aa949a69745e/0000000000000000:221: SA proposal chosen, matched gateway VPN-GW
ike 0: found VPN-GW FORTIGW 7 -> SRX-GW:500
ike 0:VPN-GW:225: DPD negotiated
ike 0:VPN-GW:225: selected NAT-T version: RFC 3947
ike 0:VPN-GW:225: cookie 6c1c70d3deab4bab/31f33050dfa3e739
ike 0:VPN-GW:225: out 6C1C70D3DEAB4BAB31F33050DFA3E7390110020000000000000000980D0000400000000100000001000000340101080100000000000000000000002400010000800100058004000580020002800B0001000C000400007080800300010D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:225: sent IKE msg (ident_r1send): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739
ike 0:VPN-GW:224: negotiation timeout, deleting
ike 0:VPN-GW: schedule auto-negotiate
ike 0:VPN-GW:225: out 6C1C70D3DEAB4BAB31F33050DFA3E7390110020000000000000000980D0000400000000100000001000000340101080100000000000000000000002400010000800100058004000580020002800B0001000C000400007080800300010D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:225: sent IKE msg (P1_RETRANSMIT): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739
ike 0: comes SRX-GW:500->FORTIGW:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=6c1c70d3deab4bab/0000000000000000 len=284
ike 0: in 6C1C70D3DEAB4BAB000000000000000001100200000000000000011C0D000040000000010000000100000034010108016C1C70D3DEAB4BAB0000002400010000800100058004000580020002800B0001000C000400007080800300010D000014AFCAD71368A1F1C96B8696FC775701000D00001427BAB5DC01EA0760EA4E3190AC27C0D00D0000146105C422E76847E43F9684801292AECD0D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F00000020699369228741C6D4CA094C93E242C9DE19E7B7C60000000500000500
ike 0:VPN-GW:225: retransmission, re-send last message
ike 0:VPN-GW:225: out 6C1C70D3DEAB4BAB31F33050DFA3E7390110020000000000000000980D0000400000000100000001000000340101080100000000000000000000002400010000800100058004000580020002800B0001000C000400007080800300010D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:225: sent IKE msg (retransmit): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739
ike 0:VPN-GW:225: out 6C1C70D3DEAB4BAB31F33050DFA3E7390110020000000000000000980D0000400000000100000001000000340101080100000000000000000000002400010000800100058004000580020002800B0001000C000400007080800300010D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:225: sent IKE msg (P1_RETRANSMIT): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739
ike 0: comes SRX-GW:500->FORTIGW:500,ifindex=7....
ike 0: IKEv1 exchange=Identity Protection id=6c1c70d3deab4bab/0000000000000000 len=284
ike 0: in 6C1C70D3DEAB4BAB000000000000000001100200000000000000011C0D000040000000010000000100000034010108016C1C70D3DEAB4BAB0000002400010000800100058004000580020002800B0001000C000400007080800300010D000014AFCAD71368A1F1C96B8696FC775701000D00001427BAB5DC01EA0760EA4E3190AC27C0D00D0000146105C422E76847E43F9684801292AECD0D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F00000020699369228741C6D4CA094C93E242C9DE19E7B7C60000000500000500
ike 0:VPN-GW:225: retransmission, re-send last message
ike 0:VPN-GW:225: out 6C1C70D3DEAB4BAB31F33050DFA3E7390110020000000000000000980D0000400000000100000001000000340101080100000000000000000000002400010000800100058004000580020002800B0001000C000400007080800300010D0000144A131C81070358455C5728F20E95452F0D000014AFCAD71368A1F1C96B8696FC77570100000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:225: sent IKE msg (retransmit): FORTIGW:500->SRX-GW:500, len=152, id=6c1c70d3deab4bab/31f33050dfa3e739
ike 0:VPN-GW:225: negotiation timeout, deleting
ike 0:VPN-GW: connection expiring due to phase1 down
ike 0:VPN-GW: deleting
ike 0:VPN-GW: deleted
ike 0:VPN-GW: schedule auto-negotiate
ike 0:VPN-GW: auto-negotiate connection
ike 0:VPN-GW: created connection: 0x115e9900 7 FORTIGW->SRX-GW:500.
ike 0:VPN-GW:226: initiator: main mode is sending 1st message...
ike 0:VPN-GW:226: cookie 24e6964da61bc752/0000000000000000
ike 0:VPN-GW:226: out 24E6964DA61BC752000000000000000001100200000000000000011C0D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:226: sent IKE msg (ident_i1send): FORTIGW:500->SRX-GW:500, len=284, id=24e6964da61bc752/0000000000000000
ike 0:VPN-GW:226: out 24E6964DA61BC752000000000000000001100200000000000000011C0D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:226: sent IKE msg (P1_RETRANSMIT): FORTIGW:500->SRX-GW:500, len=284, id=24e6964da61bc752/0000000000000000
ike 0:VPN-GW:226: out 24E6964DA61BC752000000000000000001100200000000000000011C0D000034000000010000000100000028010100010000002001010000800B0001800C7080800100058003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:VPN-GW:226: sent IKE msg (P1_RETRANSMIT): FORTIGW:500->SRX-GW:500, len=284, id=24e6964da61bc752/0000000000000000
 

 

Thank you in advance. 

Sam. 

3 REPLIES 3
FortiKoala
Staff
Staff

Configure ike v2 on Fortigate instead of ike v1 You need to make sure that the configuration is exactly the same for the vpn to come up. Please confirm the proxy id on the Juniper device as it needs to be the same on both the sides.

Proxy id in Juniper=Quick mode selector in Fortigate. You can efer to the following link to configure the site to site vpn [link]https://www.youtube.com/watch?v=sZC0AldHi34[/link] Routes and the policies have to be in place for the vpn to come up.

 

[link]https://docs.fortinet.com/d/fortigate-ipsec-vpn-1[/link]

http://cookbook.fortinet....c-vpn-troubleshooting/

Deepakkhw
New Contributor III

Hi, 

I can see packet drop or remote location not replying to the packet

sent IKE msg (P1_RETRANSMIT): FORTIGW:500->SRX-GW:500, If any of device is behind the NAT then check port forwarding and NAT-T configuration. Best suggestion to check the remote site device debugging also. So you will get a clear picture. What is going on between two devices? Is there any VPN blocked by ISP? Regards, Deepak Kumar

Stemjay
New Contributor

kindly confirm if this was resolved, i have the same challenge between to vpn connections, phase one not coming up

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors