FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This articles describes a solution for an issue with IPSEC phase2 observed between FortiGate and Palo Alto.
If several phase 2s are configured for phase1, only a few stay up.
Scope
IPSec VPN Site-to-Site Fortigate to Palo Alto.
Solution
In the output of FortiGate debugging, the following can be observed:
2023-07-26 14:51:08.793990 ike 0:DC1_VPN:561078: received informational request 2023-07-26 14:51:08.793994 ike 0:DC1_VPN:561078: processing delete request (proto 3) 2023-07-26 14:51:08.793998 ike 0:DC1_VPN: deleting IPsec SA with SPI b4757c99 2023-07-26 14:51:08.794019 ike 0:DC1_VPN:DC1_VPN_CLT1: deleted IPsec SA with SPI b4757c99, SA count: 0 2023-07-26 14:51:08.794026 ike 0:DC1_VPN: sending SNMP tunnel DOWN trap for DC1_VPN_CLT1 2023-07-26 14:51:08.794054 ike 0:DC1_VPN:561078: sending delete ack
FortiGate is receiving a delete request from the Palo Alto side and is bringing the phase2 down as per the Palo Alto request.
Check the debugs from the Palo Alto side at around the same time.
2023-07-26 15:05:26.320 +0000 [INFO]: { 10: }: delete proto ESP spi 0xDA45D112 2023-07-26 15:05:26.320 +0000 [PWRN]: { 10: }: can't find sa for proto ESP spi 0xDA45D112
