- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ignoring unsupported INFORMATIONAL message 0
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ignoring unsupported INFORMATIONAL message 0
I am attempting to setup an IPsec VPN and this is the message I get when it attempts to connect.
ignoring unsupported INFORMATIONAL message 0
Does anyone know what that means?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm working on a IPsec VPN issue right now with the remote peer being a Cisco ASR doing VRF-IPsec.
While debugging, I received this same error message. The remote sides debug display the following:
*********************************ASR Debug
*Sep 17 20:58:05.715: ISAKMP:(0): vendor ID is DPD *Sep 17 20:58:05.715: ISAKMP:(0): processing vendor id payload *Sep 17 20:58:05.715: ISAKMP:(0): vendor ID seems Unity/DPD but major 2 mismatch *Sep 17 20:58:05.715: ISAKMP:(0):No pre-shared key with 40.x.x.132! *Sep 17 20:58:05.717: ISAKMP : Scanning profiles for xauth ... RExET-VRF-PROFILE *Sep 17 20:58:05.717: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy *Sep 17 20:58:05.717: ISAKMP: life type in seconds *Sep 17 20:58:05.717: ISAKMP: life duration (basic) of 28800 *Sep 17 20:58:05.717: ISAKMP: encryption AES-CBC *Sep 17 20:58:05.717: ISAKMP: keylength of 256 *Sep 17 20:58:05.717: ISAKMP: auth pre-share *Sep 17 20:58:05.717: ISAKMP: hash SHA *Sep 17 20:58:05.717: ISAKMP: default group 2 *Sep 17 20:58:05.717: ISAKMP:(0):Preshared authentication offered but does not match policy! *Sep 17 20:58:05.717: ISAKMP:(0):atts are not acceptable. Next payload is 0 *Sep 17 20:58:05.717: ISAKMP:(0):no offers accepted! *Sep 17 20:58:05.719: ISAKMP:(0): phase 1 SA policy not acceptable! (local 10.1.5.15 remote 40.x.x.132) *Sep 17 20:58:05.719: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init *Sep 17 20:58:05.719: ISAKMP:(0): Failed to construct AG informational message. *Sep 17 20:58:05.719: ISAKMP:(0): sending packet to 40.128.70.132 my_port 500 peer_port 500 (R) MM_NO_STATE *Sep 17 20:58:05.719: ISAKMP:(0):Sending an IKE IPv4 Packet. *Sep 17 20:58:05.719: ISAKMP:(0):peer does not do paranoid keepalives.
=================================
as you can see the remote side states we are not sending a PSK, but while testing the connection to the a Lab Fortigate we can successfully build an IPsec VPN. The remote side is involving Cisco TAC to investigate config.
My conclusion, the remote side is not configured correctly to bring up phase1 and the reason why is an information message not supported by the fortigate. I will update this thread if I found out what the fix is for the remote side.
Best of luck!
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have DPD enabled? That would be my 1st guess without seeing the cfgs. You could probably catch this in tshark/wireshark and validate.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I took a look on my config and DPD was currently on I turned off an received same error:
ke 9: comes 216.x.x.250:500->40.x.x.132:500,ifindex=133.... ike 9: IKEv1 exchange=Informational id=db15c6a913fd97e4/b716e6b3f2ca12c1 len=384 id=36871 trace_id=51626 msg="Find an existing session, id-328b36d0, reply direction" ike 9: in DB15C6A913FD97E4B716E6B3F2CA12C10B100500000000000000018000000164000000010100000E0D00015800000001000000010000000000007FD61121B858020000000000000000007FD60C7295CC58B82111D67F0000000000000A3A4170E5C100C000000000B0385D12D67F00005029B10DD67F0000CF1B68080000000000007FD60DB12940000000000A3A4170000000000A3623280200000000000000000000000000000000007FD61121B858B0385D12D67F000000007FD6125D38B0300000000000000058B82111D67F000000007FD60DB1294400007FD60DB128F000007FD61121B88888B82111D67F000000000000017F0000AB176808000000008029B10DD67F000052A462080000000000007FD61121BDBC20CB9C120000000000000000000000000000000000000000C029B10DD67F0000DCBE9B080000000000007FD6125D38B0A0876612D67F000000007FD61121B85800000003000000000000000500000000E783D80300000000F029B10DD67F000017BE9B0800000000 ike 9:258841_VPN:28514329: ignoring unsupported INFORMATIONAL message 0.
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Qs;
Did you disable before sides ( FGT and ASR )?
So are you just worried about the informational message and does the VPn establish?
I'm sure this is just informational and probably some type of vendor specific messages between both peers.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In my case, with Fortigate->Sonicwall, this turned out to be Local ID Type. FG30d running 5.4.0 uses FQDN type by default, but Sonicwall does not like this with remote peer type set to Domain Name, Key ID or Firewall ID. Setting Sonicwall remote peer type to Key ID and specifying "set localid-type=keyid" in P1 solved the problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Site-to-Site VPN check the below configuration probable one of them is not matched.
IPSec Tunnels > Edit VPN Tunnels > Authentication Phase 1 Proposal ( check Engryption and Authentication information - seems they are not matched with another side)
Plz feedback and rate if it works.
Related Posts
- VPN IPsec issue 992 Views
- Can't seem to get site-to-site IPSEC... 2123 Views
- IPsec VPN between Fortigate and Mikrotik 23454 Views
- iOS VPN 8793 Views
- Problem with ipsec tunnel - payload-malformed 24738 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.