Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mroliver
New Contributor

IPSEC Invalid-cookie

Im having issue with my IPSEC using Fortinet 60D and Sonicwall, got this logs.
ike 0:HQ_Net_Phase1:13: ISAKMP SA lifetime=28800 ike 0:HQ_Net_Phase1:13: out F6E4D441864BFFCF6A89CE1EA89B52350410020000000000000001240A0000C41C118121CB1BB9299526360C70136336746F4779CED77812E7530932B52DB43BAD630F41E72B03CDDE807BD264711CD896C19FE51B9710758D528C3EF969B10C48807F491200B074E6AA5F4B0EDE97DEAEB275EABA72F77809785A0DD5485542917149FA0D3B88D8493BF60A7E6E4CA6326D6384E19A0C5331AC14DC2DA709371B741E85F7F6B94FBD6FDC3FC4F6CF8C7181C58FF87E86E455A5AD4D107D6C53D48D34992147A084875FBCC7D74F75ADFDFBC90E34B6514A28C77E73276D82AC14000014D335685246DC7077FF52DA559EFD13F9140000181EC931733E4CDCF8395085B9B4C30F9FEFC6B3D30000001871EBA3D87C6A2EFDD2607CC6753F0265BDC990FF ike 0:HQ_Net_Phase1:13: sent IKE msg (ident_i2send): 10.0.0.1:500->81.22.17.227:500, len=292, id=f6e4d441864bffcf/6a89ce1ea89b5235 ike 0: comes 81.22.17.227:500->10.0.0.1:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=f6e4d441864bffcf/6a89ce1ea89b5235 len=340 ike 0: in F6E4D441864BFFCF6A89CE1EA89B5235041002000000000000000154140000C42B97B5B128A09F05F0AE2BFD57BDFD247BCC6EB59ABC9936E8CC9089D3FE3BD65407B6EE2A8A7E110E7AD7077269214227B8AC06FE87C2A964592EC528FC3222E2B3B6FD1C74C0C0B700F327E6490891BF790E25FA9A4B5F9ABE33406F1BE59B86C9EC8C144E4055B6DA6CE26F62950FB640CA68F37E0C515053A597608E28DDAB75D060DAE5DF9F178D8298E69396E29F0CF49BE06704A57E2EA843C12358454BABAA61CBA962542F9468019576451DF03F402CFC6CCEC5E6324E51910BC34A1400001845B889AE9A48E357D50D09B9A8D790CD4A4FF0050A00001856621EC052CE625B3D7405CC489E83CABB9FCEA80D000018721A95ADB4B44F877A0B96016B4B37F5AC8A61480D00000C404BF439522CA3F60D00000C09002689DFD6B71200000014AFCAD71368A1F1C96B8696FC77570100 ike 0:HQ_Net_Phase1:13: initiator: main mode get 2nd response... ike 0:HQ_Net_Phase1:13: VID unknown (8): 404BF439522CA3F6 ike 0:HQ_Net_Phase1:13: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:HQ_Net_Phase1:13: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:HQ_Net_Phase1:13: DPD negotiated ike 0:HQ_Net_Phase1:13: NAT detected: ME PEER ike 0:HQ_Net_Phase1:13: NAT-T float port 4500 ike 0:HQ_Net_Phase1:13: ISAKMP SA f6e4d441864bffcf/6a89ce1ea89b5235 key 32:A4BB4DBBB78F6B506BFEB86E990CF711FF5C2FDCB44E8473ED88A4575BF67790 ike 0:HQ_Net_Phase1:13: add INITIAL-CONTACT ike 0:HQ_Net_Phase1:13: enc F6E4D441864BFFCF6A89CE1EA89B523505100201000000000000005C0800000C010000000A0000010B0000185806EEBDD53A3F6EF71C29D677F08327A4057B520000001C0000000101106002F6E4D441864BFFCF6A89CE1EA89B5235 ike 0:HQ_Net_Phase1:13: out F6E4D441864BFFCF6A89CE1EA89B523505100201000000000000006CE880FE2C99678B55E1E2BF3EA57D635D6FB6CF07B3338404EDEE826426D1071F9EB350880F64E27CF2EB430D02F85503454CE15A10BC4DD8EDC7D16D40C2B454161906C6B717A88C77E1D618105A19B1 ike 0:HQ_Net_Phase1:13: sent IKE msg (ident_i3send): 10.0.0.1:4500->81.22.17.227:4500, len=108, id=f6e4d441864bffcf/6a89ce1ea89b5235 ike 0:HQ_Net_Phase1:Phase2: IPsec SA connect 5 10.0.0.1->81.22.17.227:0 ike 0:HQ_Net_Phase1:Phase2: using existing connection ike 0:HQ_Net_Phase1:Phase2: config found ike 0:HQ_Net_Phase1:Phase2: IPsec SA connect 5 10.0.0.1->81.22.17.227:500 negotiating ike 0:HQ_Net_Phase1:13:Phase2:8: ISAKMP SA still negotiating, queuing quick-mode request ike 0: unknown SPI f6e4d441 5 81.22.17.227:500->10.0.0.1 ike 0: found HQ_Net_Phase1 10.0.0.1 5 -> 81.22.17.227:500 ike 0:HQ_Net_Phase1:Phase2: IPsec SA connect 5 10.0.0.1->81.22.17.227:0 ike 0:HQ_Net_Phase1:Phase2: using existing connection ike 0:HQ_Net_Phase1:Phase2: config found ike 0:HQ_Net_Phase1: request is on the queue ike 0:HQ_Net_Phase1:13: out F6E4D441864BFFCF6A89CE1EA89B523505100201000000000000006CE880FE2C99678B55E1E2BF3EA57D635D6FB6CF07B3338404EDEE826426D1071F9EB350880F64E27CF2EB430D02F85503454CE15A10BC4DD8EDC7D16D40C2B454161906C6B717A88C77E1D618105A19B1 ike 0:HQ_Net_Phase1:13: sent IKE msg (P1_RETRANSMIT): 10.0.0.1:4500->81.22.17.227:4500, len=108, id=f6e4d441864bffcf/6a89ce1ea89b5235 ike 0: comes 81.22.17.227:4500->10.0.0.1:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=f6e4d441864bffcf/6a89ce1ea89b5235:6f1a6432 len=204 ike 0: in F6E4D441864BFFCF6A89CE1EA89B52350B1005006F1A6432000000CC000000B00000000001100004F6E4D441864BFFCF6A89CE1EA89B523500060004000000000002006CF6E4D441864BFFCF6A89CE1EA89B523505100201000000000000006CE880FE2C99678B55E1E2BF3EA57D635D6FB6CF07B3338404EDEE826426D1071F9EB350880F64E27CF2EB430D02F85503454CE15A10BC4DD8EDC7D16D40C2B454161906C6B717A88C77E1D618105A19B10004001800000054686520636F6F6B696520697320696E76616C6964 ike 0:HQ_Net_Phase1:13: ignoring unencrypted INVALID-COOKIE message from 81.22.17.227:4500. ike 0:HQ_Net_Phase1:Phase2: IPsec SA connect 5 10.0.0.1->81.22.17.227:0 ike 0:HQ_Net_Phase1:Phase2: using existing connection ike 0:HQ_Net_Phase1:Phase2: config found ike 0:HQ_Net_Phase1: request is on the queue ike 0:HQ_Net_Phase1:Phase2: IPsec SA connect 5 10.0.0.1->81.22.17.227:0 ike 0:HQ_Net_Phase1:Phase2: using existing connection ike 0:HQ_Net_Phase1:Phase2: config found ike 0:HQ_Net_Phase1: request is on the queue ike 0:HQ_Net_Phase1:13: out F6E4D441864BFFCF6A89CE1EA89B523505100201000000000000006CE880FE2C99678B55E1E2BF3EA57D635D6FB6CF07B3338404EDEE826426D1071F9EB350880F64E27CF2EB430D02F85503454CE15A10BC4DD8EDC7D16D40C2B454161906C6B717A88C77E1D618105A19B1 ike 0:HQ_Net_Phase1:13: sent IKE msg (P1_RETRANSMIT): 10.0.0.1:4500->81.22.17.227:4500, len=108, id=f6e4d441864bffcf/6a89ce1ea89b5235 ike 0: comes 81.22.17.227:4500->10.0.0.1:4500,ifindex=5.... ike 0: IKEv1 exchange=Informational id=f6e4d441864bffcf/6a89ce1ea89b5235:774e93da len=204 ike 0: in F6E4D441864BFFCF6A89CE1EA89B52350B100500774E93DA000000CC000000B00000000001100004F6E4D441864BFFCF6A89CE1EA89B523500060004000000000002006CF6E4D441864BFFCF6A89CE1EA89B523505100201000000000000006CE880FE2C99678B55E1E2BF3EA57D635D6FB6CF07B3338404EDEE826426D1071F9EB350880F64E27CF2EB430D02F85503454CE15A10BC4DD8EDC7D16D40C2B454161906C6B717A88C77E1D618105A19B10004001800000054686520636F6F6B696520697320696E76616C6964 ike 0:HQ_Net_Phase1:13: ignoring unencrypted INVALID-COOKIE message from 81.22.17.227:4500.
5 REPLIES 5
woytass
New Contributor

Hi, Did you add policy on firewall? Type: VPN From internal to WAN Source LAN Destination VPN_Network Action IPSec
emnoc
Esteemed Contributor III

I highly doubt a firewall policy is causing the invalid cookie messages. This is cause by a party that' s using a SA that' s no long valid. What I would do is to compare ipsec sa keylife times in sec/bytes or what ever on the sonicwall to that of the fortigate. Make adjustments if they don' t match. I would also monitor the SPI via the diag vpn tunnel list name < name of the vpn> and or use tcpdump/tshark to trace the SPIs. Remember their' s an SPIs for each direction and the SA are uni-directional. e.g FGT-------> SONICWALL FGT<------ SONICWALL added: it would not hurt to check ike SA keylife also. diag vpn ike errors diag vpn ike gateway ( grep on lifetime/rekey )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinisantos_FTNT

I know this is an older post but I ended up here when trying to troubleshoot my issue.

I was having the same issue while trying to communicate to a SonicWall and what resolved it was having multiple phase 2 selectors for the tunnel, each with its own subnet pair, instead of one with multiple subnets in a single phase 2 selector.

The reason being because the FortiGate will use the same SPI for all subnets in the selector, while some vendors will expect a different SPI for each subnet.

emnoc
Esteemed Contributor III

correct  proxy-id, aka traffic selectors or SPI, will be uniq during the setup for each local/remote-subnet pair. This is why firewalls that uses  0.0.0.0/0:0  as a single proxy-id makes life way much easier in a route based vpn ( aka FortiOS and JunosSRX )

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vinisantos_FTNT

Correct. Way easier. And I just found out that another way to resolve this is by letting the FortiGate create the phase 2 selectors dynamically, which accomplishes the same thing as creating them manually.

You can use the command "set mesh-selector-type subnet" under phase1's config - config vpn ipsec phase1 / config vpn ipsec phase1-interface and a separate SA will be created for each local-remote subnet pair.

Labels
Top Kudoed Authors