Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DemianJacome
New Contributor

Created on ‎05-10-2023 10:34 AM

MULTIPLE PHASE 2 BETWEEN FORTIGATE AND VELOCLOUD GATEWAY

Hi guys! I have a problem with a vpn ipsec between my appliance fortigate and the velocloud gateway that is manage by my service provider.  The problem is that multiple phase 2 are generated until reaching the point of having more than 500. They are generated automatically, I only have 10 declared. 

Has anyone had this same problem? and how did they solve it?

Labels:
1389
0 Kudos
6 REPLIES 6
kvimaladevi
Staff
Staff

Created on ‎05-11-2023 01:28 AM

Hi DemianJacome,

 

Multiple phase 2 selectors should not be created on its own, that is not an expected behavior. May I know the current version of the Fortigate. Also, did the issue start after any recent upgrades?

 

Regards,

Vimala

1369
0 Kudos
gfleming
Staff
Staff

Created on ‎05-11-2023 12:23 PM

What does your phase2 config look like?

Cheers,
Graham
1363
StefanZ
New Contributor

Created on ‎06-23-2023 12:56 AM

We have experienced a similiar issue - not with Velocloud, but with a Sophos XG on the other end.
Although only two Phase2 Selectors are configured for this particular VPN-Tunnel, after a while we have seen 16 Phase2 Selectors at the VPN-Tunnel Table. The most interesting part is, that the additional Phase2 Selectos shows a ProxyID with a IP from the local subnet. Every additional Phase2 Selector has a unique Proxy-ID IP. No idea where this comes from...

 

1282
0 Kudos
pminarik
Staff
Staff

Created on ‎06-23-2023 01:10 AM

Any chance you're using IKEv2? IKEv2 natively allows selector narrowing (negotiating a phase2 as a sub-set of the configured range). This could even lead to individual host-to-host selectors/phase2s, so if you're using IKEv2, this will heavily depend on what the two sides are negotiating.

[ corrections always welcome ]
1277
StefanZ
New Contributor
In response to pminarik

Created on ‎06-23-2023 01:48 AM

Thank you fort that hint. IKEv2 is in use indeed. As the other end is extenally managed, I have only limited options to check what both sites are doing. However - a solid foundation talking to the other end ;) - Again - Thank you

 

1271
0 Kudos
pminarik
Staff
Staff
In response to StefanZ

Created on ‎06-23-2023 02:34 AM

I would expect ike -1 debug to give some ideas as to how these selectors came to be. If the issue is reproducible, you can take the tunnel down, enable the debugs, then bring it up and gather the logs. If you're not comfortable with parsing the outputs (it's not always pleasant :) ), you could open a TAC case to get help with understanding the logs, which will hopefully explain how the multiple phase2 SA come to be.

[ corrections always welcome ]
1265
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.