Hot!IPsec Site-to-Site problem - request is on the queue

Author
dimago
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/12/09 10:05:50
  • Status: offline
2013/12/09 10:14:14 (permalink)
0

IPsec Site-to-Site problem - request is on the queue

hello guys,

I noticed a problem with my FG VPN with a Cisco Firewall..

Tunnel was down and it did not coming UP... In the debug i caught it:

ike 0:VPN:VPN P2: IPsec SA connect 5 100.100.100.100->200.200.200.200:500
ike 0:VPN:VPN P2: using existing connection
ike 0:VPN:VPN P2: config found
ike 0:VPN: request is on the queue

In the GUI, VPN, IPsec Monitor I saw the tunnel more than 44150 second UPs (uptime)
I though it very weird...

I changed the Peer of the VPN, and it " refreshed" ...
I changed again to the correct peer, and it came up.. With seconds started...
I think FG " locked" something...

This is my version:
v5.0,build0252 (GA Patch 5)

Anyone has any idea?

Thanks!
#1

9 Replies Related Threads

    dimago
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/12/09 10:05:50
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/10 02:15:50 (permalink)
    0
    Anyone?
    #2
    Silver
    Gold Member
    • Total Posts : 263
    • Scores: -1
    • Reward points: 0
    • Joined: 2013/02/25 00:43:47
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/13 07:33:42 (permalink)
    0
    Hello Dimago,

    i want to setting up a site to multisites vpn with fortigate at the head office and another 2 offices with cisco firewall. can you tell me what type of vpn policy you have been using for setting the vpn. have you use policy base or route base policy.

    thanks
    #3
    Silver
    Gold Member
    • Total Posts : 263
    • Scores: -1
    • Reward points: 0
    • Joined: 2013/02/25 00:43:47
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/13 07:35:12 (permalink)
    0
    my firmware version 5 patch 5 i only see option to configure route base policy not policy base. on the gui also i only find option to enable vpn that' s it.

    #4
    dimago
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/12/09 10:05:50
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/14 03:34:16 (permalink)
    0
    Silver,

    Well, I created phase 1 and Phase 2 by default, using the left menu VPN and after Auto Key (IKE). For sure, I did not see that option you said.

    If you give me a print maybe I can take a look.

    Diego
    #5
    Silver
    Gold Member
    • Total Posts : 263
    • Scores: -1
    • Reward points: 0
    • Joined: 2013/02/25 00:43:47
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/15 08:12:59 (permalink)
    0
    okay have you select interface mode while create phase 1 or what.

    have you configure two policy for each direction with only accept or have you create 1 policy as ipsec tunnel
    #6
    emnoc
    Expert Member
    • Total Posts : 5062
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    RE: IPsec Site-to-Site problem - request is on the queue 2013/12/15 17:47:06 (permalink)
    0
    Do you have a route in place ?

    Did you do any diag debug flow diag debug app ike ?

    Where is your fortigate configs?

    Where is your cisco configs & show cmd outputs ?

    You can use this link for some ideals on the proper steps in a fgt lan2lan vpn t-shooting steps;

    http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #7
    sohrab
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/07 12:08:17
    • Status: offline
    Re: IPsec Site-to-Site problem - request is on the queue 2015/06/09 22:20:44 (permalink)
    0
    Hello Experts,
    i have the same problem. i mean during site to site vpn on 60 D. I configured in interface mode. all steps successfully configured, i mean, first phase 1, then phase 2 , then addresses i created for local lan and remote lan then 2 policies i created , one for local and one for remote, after that when i check in ipsec moniter. tunnel is not up. when i checked in log file of vpn. it says 'ipsec phase 1 negotiate success.' you can find the out puts in attachment. and in cli when i run the command "diag debug application ike 255.
    it shows me the following out put.
    ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: using existing connection

    ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: config found

    ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: IPsec SA connect 6 213.97.223.228->213.82.83.89:500 negotiating

    ike 0:Fuj_FCA_VPN:5446:FCA_IPSEC_VPN_P2.:5443: ISAKMP SA still negotiating, queuing quick-mode request

    ike 0:Fuj_FCA_VPN:FCA_IPSEC_VPN_P2.: IPsec SA connect 6 213.97.223.228->213.82.83.89:500
     
     
    I need urgent help from experts please. this is my email address. sohrab.khaliq@gmail.com
    awaiting for your kind reply.

    Attached Image(s)

    #8
    Johan Witters
    Bronze Member
    • Total Posts : 35
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/03 04:06:12
    • Location: Belgium
    • Status: offline
    Re: IPsec Site-to-Site problem - request is on the queue 2015/06/11 04:07:14 (permalink)
    0
    Hello Sohrab,
     
    is it possible to post your configuration? or at least the vpn/policy/routing sections?

    Johan Witters
    Network & Security Engineer
    FCNSP V4/V5
     
    BKM NV
    #9
    B1202
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Status: offline
    Re: IPsec Site-to-Site problem - request is on the queue 2018/08/17 09:01:14 (permalink)
    0
    Weird bug.. I had the same issue with the same error going to an AWS VPN connection.  I re-pointed the tunnel to a bad IP, saved, then pointed it back while watching the debug.  The connection dropped, the related policies were disabled, then when I pointed the tunnel back to the correct IP it reconnected and all policies enabled.  Since then everything is working great.  This tunnel has been up for about a month before this issue.  Another interesting thing is the "monitor" didn't fail over to the other redundant tunnel.  It's almost like this tunnel was locked up but the FW didn't know it failed to bring up the secondary.
    #10
    Jump to:
    © 2018 APG vNext Commercial Version 5.5