Hot!Interface Validation failure on zone used for IPSec VPN -- cannot update policy

Author
malachykidd
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/06 15:52:16
  • Status: offline
2017/10/09 14:19:40 (permalink) FortiManager
0

Interface Validation failure on zone used for IPSec VPN -- cannot update policy

I have a new FortiManager (5.4.4) and FortiGate (81E, 5.4.5) deployment. The 81E was configured before it was added to FortiManager, and it has an IPSec VPN tunnel to a Juniper SSG firewall at a remote site. The 81E added to FortiManager without error.
 
On the 81E, the tunnel interface ("vpn_to_aa") is mapped to a dedicated VPN zone ("vpn-s2s"), and is the only interface in that zone.
 
When I attempt to apply an updated policy from FortiManager, I receive an error that vpn-s2s is unmapped and that I need to select a device interface. Re-selecting the VPN tunnel interface causes the error to loop.
 
Specifically, when I apply the policy using the Install Wizard, I receive the error, "The following ADOM interfaces have no mapping. All ADOM interfaces should be mapped before continue with installation," and I am presented with a line listing the Device Name, the Unmapped Interface, and a drop-down list box to select the Device Interface. (See https://ibb.co/d7xOMG)
 
Alternately, when I apply the policy using the "Re-install Policy" option, I receive a slightly different window / response.  The first window states "Zone Validation Failed" and offers a button for "Details." Clicking the Details button presents a window titled Validation Details, with a line "Device Name / Unmapped Interface / Device Interface" identical to the Install Wizard method. (See https://ibb.co/dHb6ab and https://ibb.co/n3EngG) This process eventually fails with Status "install and save finished status=FAILED," and the Install History reports "get-post-checksum fail." (See https://ibb.co/eCh7gG) In fact, it removed the vpn-s2s policies from the firewall and may have changed some phase-two settings for the IPSec tunnel.
 
We're migrating from Juniper SSG firewalls, and our standard configuration with SSG is to bind the VPN tunnel interfaces to a single zone, which allows us to maintain multiple VPN tunnels with a single set of policies referencing the zone. I would like to use a similar configuration with FortiGate.
 
I would really like to manage everything through VPN Manager, but I'm having difficulty making that work-- I'll address it in a separate post. In the meantime, we have many Juniper SSG firewalls deployed that we need to work with, as we replace them.
 
Any tips or suggestions about how to get FortiManager to play nice with custom IPSec tunnels-- assuming that's possible?
 
Thanks,
 
Justin
 
#1
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Interface Validation failure on zone used for IPSec VPN -- cannot update policy 2017/10/10 08:25:17 (permalink)
0
What does "Policy & Objects > Objects Configurations > Interfaces" menu show as the mapping for "vpn-s2s" for this FortiGate?
#2
malachykidd
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/06 15:52:16
  • Status: offline
Re: Interface Validation failure on zone used for IPSec VPN -- cannot update policy 2017/10/10 10:37:40 (permalink)
0
chall,
 
Per-Device Mappings shows "cdm-firewall-01 ( root ): vpn_to_aa,vpn_to_seas" and "dcc-firewall-01 ( root ): vpn_to_aa"
 
Justin
#3
malachykidd
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/06 15:52:16
  • Status: offline
Re: Interface Validation failure on zone used for IPSec VPN -- cannot update policy 2017/10/10 11:13:49 (permalink)
0
chall,
 
After reading a link (https://forum.fortinet.com/FindPost/150794) in a reply to another post, by heskez, I upgraded FortiManager to 5.6 and was able to successfully apply the policy to the device; it looks like my problem was part of the inability of 5.4 to work with non VPN Central Management tunnels.
 
Thank you for your reply.
 
Justin
#4
chall_FTNT
skyhigh
  • Total Posts : 149
  • Scores: 3
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: Interface Validation failure on zone used for IPSec VPN -- cannot update policy 2017/10/10 12:53:17 (permalink)
0
I see.  So this for an ADOM in which you had enabled "Central VPN"?  In which case, that is true.  The restriction was lifted in FMG 5.6 to allow manual configuration of VPNs in a Central VPN ADOM.
#5
scao_FTNT
optimizzz
  • Total Posts : 477
  • Scores: 23
  • Reward points: 0
  • Joined: 2012/08/27 11:39:44
  • Status: offline
Re: Interface Validation failure on zone used for IPSec VPN -- cannot update policy 2017/10/10 13:02:48 (permalink)
0
not sure if you have enabled workspace function on your FMG?
Thanks
Simon
#6
Jump to:
© 2017 APG vNext Commercial Version 5.5