Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zmag
New Contributor

" No matching IPsec selector, drop"

FG 620B 4.0 MR2 patch 1 Interface mode IPsec Trying to bring IPsec tunnels up. the monitor show the tunnel is up. No traffic (echo) is passing. First step was; chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10.x.x.x" 4 ****started ping from 37.150 >10..x.x.x now*************** interfaces=[any] filters=[host 192.168.37.150 or host 10.66.6.14] 3.376838 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 8.877053 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 14.376863 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 19.877578 port1 in 192.168.37.150 -> 10..x.x.x: icmp: echo request 4 packets received by filter 0 packets dropped by kernel So this indicates the firewall sees the traffic, not sure what else this tells me. second step; chifgt02 (root) # diagnose sniffer packet any " host 192.168.37.150 or host 10..x.x.x or arp" 4 I see no references to 10..x.x.x third step; chifgt02 (root) # diag debug enable chifgt02 (root) # diag debug flow filter add 192.168.37.150 chifgt02 (root) # diag debug flow show console enable show trace messages on console chifgt02 (root) # diag debug flow trace start 100 chifgt02 (root) # diag debug enable ****START PING NOW FROM 37.150 > 10.x.x.x*********** chifgt02 (root) # id=36870 trace_id=1 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.x:8) from por t1." id=36870 trace_id=1 msg=" allocate a new session-000c8cd6" id=36870 trace_id=1 msg=" find a route: gw-10.x.x. via meditech" id=36870 trace_id=1 msg=" Allowed by Policy-114:" id=36870 trace_id=1 msg=" enter IPsec interface-meditech" id=36870 trace_id=1 msg=" No matching IPsec selector, drop" id=36870 trace_id=2 msg=" vd-root received a packet(proto=1, 192.168.37.150:512->10.x.x.:8) from port1." id=36870 trace_id=2 msg=" Find an existing session, id-000c8cd6, original direction" id=36870 trace_id=2 msg=" enter IPsec interface-meditech" id=36870 trace_id=2 msg=" No matching IPsec selector, drop" 4th step; I looked at my P2 Quick Mode Selector which is chifgt02 (meditech_2) # set dst-addr-type name chifgt02 (meditech_2) # set dst-name vpn_remote_meditech chifgt02 (meditech_2) # set src-addr-type name chifgt02 (meditech_2) # set src-name vpn_local_meditech I think this is my problem? I have seen people suggest to set these to 0.0.0.0/0.0.0.0 and filter at the policy but I think this will fail if the set up on the other side of the tunnel (which I don' t manage) is not the same. I deleted this P2 and created a new one with all 0s, this time the tunnel would not come up. The debug showed something to the effect of SA is not ready, sorry i didn' t save that output. I changed P2 back to chifgt02 (meditech_2) # set dst-addr-type name chifgt02 (meditech_2) # set dst-name vpn_remote_meditech chifgt02 (meditech_2) # set src-addr-type name chifgt02 (meditech_2) # set src-name vpn_local_meditech Am I misunderstanding the Quick Mode Selector? I am wondering why it has a static source and static dst since it seems to me that i would need 2 selectors, one for each direction. I will re-read the guides and forum posts, but hopefully someone can tell me if I' m on the right track. Thanks in advance
10 REPLIES 10
Carl_Wallmark
Valued Contributor

Good to know: in MR3 they have brought up the ability to add addresses and groups to the quick mode selection in the GUI, this can only be done i CLI today.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors