Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

problem when VPN Site-to-site

Hi every members! I have problem when config VPN Site-to-Site between: FG200A and Sonicwall. When i bringup tunel after 20 second it down again. When i access to Log on FG i see 1 2008-11-19 14:20:57 notice negotiate Initiator: parsed 210.249.x.x main mode message #3 (DONE) 2 2008-11-19 14:20:56 notice negotiate Initiator: sent 210.249.x.x main mode message #3 (OK) 3 2008-11-19 14:20:56 notice negotiate Initiator: sent 210.249.x.x main mode message #2 (OK) 4 2008-11-19 14:20:56 notice negotiate Initiator: sent 210.249.x.x main mode message #1 (OK) 5 2008-11-19 14:20:56 notice delete_phase1_sa Deleted an Isakmp SA on the tunnel to 210.249.x.x:500 6 2008-11-19 14:20:56 error dpd IPsec connection failure on the tunnel to 210.249.x.x:500 7 2008-11-19 14:20:36 notice negotiate Initiator: parsed 210.249.x.x main mode message #3 (DONE) 8 2008-11-19 14:20:35 notice negotiate Initiator: sent 210.249.x.x main mode message #3 (OK) 9 2008-11-19 14:20:35 notice negotiate Initiator: sent 210.249.x.x main mode message #2 (OK) 10 2008-11-19 14:20:35 notice negotiate Initiator: sent 210.249.x.x main mode message #1 (OK) 11 2008-11-19 14:20:35 notice delete_phase1_sa Deleted an Isakmp SA on the tunnel to 210.249.x.x:500 12 2008-11-19 14:20:35 error dpd IPsec connection failure on the tunnel to 210.249.x.x:500 I don' t known why appear this failure. Everyone have this problem can answer thanks many!
6 REPLIES 6
laf
New Contributor II

Check if you have the same identical phase 1-2 parameters on both equipments.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.

The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
romanr
Valued Contributor

Do you have a policy in place for that tunnel on the fortigate? If phase2 doesn' t start, then this might be the problem. Check your IPSec params as well, if you don' t get any further post the output of: diag deb app ike -1 ' sonicwall-ip' diag deb ena cheers.roman PS: don' t post real ip-addresses!
Not applicable

Do you have a policy in place for that tunnel on the fortigate? If phase2 doesn' t start, then this might be the problem.-----> i have done it the problem here is when i use old version it is work well but when i upgrade firmware it doesn' t work.
rwpatterson
Valued Contributor III

Welcome to the forums If you upgraded from a version <= v3MR3 to a version >= v3MR4, then the source in the policy must be set to ' all' for the tunnel to come up.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
romanr
Valued Contributor

ORIGINAL: nam pham van the problem here is when i use old version it is work well but when i upgrade firmware it doesn' t work.
From which version to which version did you upgrade? Try clearing the Local ID Field in the Phase 1 of the IPSec Tunnel! There was a change in behaviour from MR5 to MR6! cheers.roman
Not applicable

ORIGINAL: romanr
ORIGINAL: nam pham van the problem here is when i use old version it is work well but when i upgrade firmware it doesn' t work.
From which version to which version did you upgrade? Try clearing the Local ID Field in the Phase 1 of the IPSec Tunnel! There was a change in behaviour from MR5 to MR6! cheers.roman
thanks for all support! I have solved this problem. I upgrade to MR7 patch1 it work smoothly. I think old version is not support with third Vendor Firewall Sonicwall. many thanks for all members!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors