Hot!IPsec tunnel gone down and never up again

Author
calamariss
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/26 09:54:39
  • Status: offline
2021/09/27 02:15:56 (permalink)
0

IPsec tunnel gone down and never up again

Hi, Everyone. I've two FortiGate firewalls (200E,40F0). I created an IPsec tunnel between the two of them . after some days tunnel goes down and never back again. I must Delete the tunnel on both devices and create again new tunnel. I check my Internet connection is ok.  when I debug the out of IPsec its show Request on The queue  and negotiation timeout 
I  follow the Fortigate cookbook for creating IPsec Tunnel. I created  phase1, phase2, two policies, and a static route. 
FortiGate 200E has v6.4.7 build1911 (GA)
Fortigate 40F has   v6.4.5 build1828 (GA)
 ===================Debug output=====================
this the diagnose debug application ike -1 
tcci # diagnose debug enable
tcci # ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:13: negotiation timeout, deleting
ike 0:airport: connection expiring due to phase1 down
ike 0:airport: deleting
ike 0:airport: deleted
ike 0:airport: schedule auto-negotiate
ike shrank heap by 159744 bytes
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: created connection: 0x141412f0 17 xxx.xxx.43.114->xxx.xxx.185.68:500.
ike 0:airport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:500 negotiating
ike 0:airport: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200
0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6
A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047
E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3
20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E
ike 0:airport:14: sent IKE msg (SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000
ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200
0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6
A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047
E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3
20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E
ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200
0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6
A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047
E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3
20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E
ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:14: out DB2D383C185D9F600000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200
0005030000080300000C0000000804000005280000C8000500005BBC21C131AAE8448354229E35242CD0D2F03F560F61C48D958C5B02342980FD32582CBA246F1BFD3687B6
A37E701F13FC21789721CAE4FDB4E63AFD0C8C20B555DD649D5ABB48ECF522F6C40B35DB0FF8B6C0147BBC8E6934FC1FC07192EB0255E3F6BE6BD4E4110F0488FE261CC047
E2B90BB2D67477A14366B3B28928E35F5433BCABCF5D74CC79C15EA965E85CAB27E31B9506447B308AA091A64A4D03B15C4A4E3A09C913FE84D2E01B863707FFEBD419C8E3
20EDCB270E55AD6FADF5D4290000240767E9EF4BA2466AF23574BD1FF736E9D4AB92209281CB1E27A24E6A33F58322000000080000402E
ike 0:airport:14: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=db2d383c185d9f60/0000000000000000
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
ike 0:airport:14: negotiation timeout, deleting
ike 0:airport: connection expiring due to phase1 down
ike 0:airport: deleting
ike 0:airport: deleted
ike 0:airport: schedule auto-negotiate
ike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: created connection: 0x141412f0 17 xxx.xxx.43.114->xxx.xxx.185.68:500.
ike 0:airport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:500 negotiating
ike 0:airport: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:airport:15: out C055F5FE2DBDE3970000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E0080030000080200
0005030000080300000C0000000804000005280000C80005000032476C8A821988F89B3A9DC1B03DB7A85AA02C1AA1811177B275B788219C3CB475330DB57CDEA601969222
E5FDDDA83989644EC5007BD5E5214A69DFBF423239343CA6019D17528EF5EC6A114E87A40B30236D0BDDB6F1379D72A5C9A75D58C990E8F71926FD49EAC71AD2DEE11D0956
F22F7CD8B7855D5B67C043FDF71347EC951652F10379C4163B14474D79EAE2E2421E1E1E76EF977BE5B392648831A84E446761BFD1451754D17494FFFA78980043C4F18B5B
0DC001F4C9E592B8FA5A1B29000024E3C3F8E36F1F53895DB965DF4A9BB51B30A8081ABFE5631FB2F6AB198F6C9E85000000080000402E
ike 0:airport:15: sent IKE msg (SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=c055f5fe2dbde397/0000000000000000
tcci # ike 0:airport:15: out C055F5FE2DBDE3970000000000000000212022080000000000000140220000300000002C010100040300000C0100000C800E00800300
000802000005030000080300000C0000000804000005280000C80005000032476C8A821988F89B3A9DC1B03DB7A85AA02C1AA1811177B275B788219C3CB475330DB57CDEA6
01969222E5FDDDA83989644EC5007BD5E5214A69DFBF423239343CA6019D17528EF5EC6A114E87A40B30236D0BDDB6F1379D72A5C9A75D58C990E8F71926FD49EAC71AD2DE
E11D0956F22F7CD8B7855D5B67C043FDF71347EC951652F10379C4163B14474D79EAE2E2421E1E1E76EF977BE5B392648831A84E446761BFD1451754D17494FFFA78980043
C4F18B5B0DC001F4C9E592B8FA5A1B29000024E3C3F8E36F1F53895DB965DF4A9BB51B30A8081ABFE5631FB2F6AB198F6C9E85000000080000402E
ike 0:airport:15: sent IKE msg (RETRANSMIT_SA_INIT): xxx.xxx.43.114:500->xxx.xxx.185.68:500, len=320, id=c055f5fe2dbde397/0000000000000000
tcci # diagnose deike 0:airport:lan-acc-aiport: IPsec SA connect 17 xxx.xxx.43.114->xxx.xxx.185.68:0
ike 0:airport:lan-acc-aiport: using existing connection
ike 0:airport:lan-acc-aiport: config found
ike 0:airport: request is on the queue
 
========IPsec Configuration Phase1 ================
tcci # show vpn ipsec phase1-interface airport
config vpn ipsec phase1-interface
edit "airport"
set interface "wan1"
set ike-version 2
set local-gw xxx.xxx.43.114
set peertype any
set net-device disable
set proposal aes128-sha256
set dhgrp 5
set nattraversal disable
set remote-gw xxx.xxx.185.68
set psksecret ENC
next
end

config vpn ipsec phase1-interface
edit "tcci"
set interface "wan"
set ike-version 2
set local-gw xxx.xxx.185.68
set peertype any
set net-device disable
set proposal aes128-sha256
set dhgrp 5
set nattraversal disable
set remote-gw xxx.xxx.43.114
set psksecret ENC
next
end
 ======================Sniffer packets====================
tcci # diagnose sniffer packet any "host xxx.xxx.185.68"
interfaces=[any]
filters=[host xxx.xxx.185.68]
2.403202 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
2.429283 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
8.406283 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
8.431885 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
20.406906 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
20.440803 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
30.404825 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
30.460290 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
33.407891 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
33.429407 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
39.403850 xxx.xxx.43.114.500 -> xxx.xxx.185.68.500: udp 320
39.425268 xxx.xxx.185.68.500 -> xxx.xxx.43.114.500: udp 304
12 packets received by filter
0 packets dropped by kernel
 
 
#1

7 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2733
    • Scores: 269
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/09/27 09:14:12 (permalink)
    0
    Try removing "local-gw" config. The IP you put in is not local.
     
    Wait, it's local. But the purpose for this command is different. You shouldn't need it there. Then run the same debug on the other end. The ike debug you showed is not showing any receiving IKE messages.
    post edited by Toshi Esumi - 2021/09/27 09:25:25
    #2
    calamariss
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/26 09:54:39
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/09/27 10:39:36 (permalink)
    0
    Hi Toshi Esumi 
    I remove the local gateway and the result is the same as the before 
    This output belongs to the other side (FortiGate 40F)
     
    tcci-Airport # config vdom
    tcci-Airport (vdom) # edit root
    current vf=root:0
    tcci-Airport (root) #
    tcci-Airport (root) #
    tcci-Airport (root) #
    tcci-Airport (root) #
    tcci-Airport (root) #
    tcci-Airport (root) # diagnose debug application ike -1
    Debug messages will be on for 30 minutes.
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: responder received SA_INIT msg
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: received notify type FRAGMENTATION_SUPPORTED
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: incoming proposal:
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: proposal id = 1:
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: protocol = IKEv2:
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: encapsulation = IKEv2/none
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=ENCR, val=3DES_CBC
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=INTEGR, val=AUTH_HMAC_SHA_96
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=PRF, val=PRF_HMAC_SHA
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=DH_GROUP, val=ECP384.
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: matched proposal id 1
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: proposal id = 1:
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: protocol = IKEv2:
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: encapsulation = IKEv2/none
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=ENCR, val=3DES_CBC
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=INTEGR, val=AUTH_HMAC_SHA_96
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=PRF, val=PRF_HMAC_SHA
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: type=DH_GROUP, val=ECP384.
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: lifetime=86400
    ike 0:f24a8652e7e9e4e1/0000000000000000:1100: SA proposal chosen, matched gateway tcci
    ike 0:tcci: created connection: 0x1457df10 5 xxx.xxx.185.68->xxx.xxx.4.114:500.
    ike 0:tcci:1100: processing notify type FRAGMENTATION_SUPPORTED
    ike 0:tcci:1100: responder preparing SA_INIT msg
    ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000
    30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858
    27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211
    5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E
    ike 0:tcci:1100: sent IKE msg (SA_INIT_RESPONSE): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/
    49082e6cceeb65f0
    ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ei 24:65BCD9274CAF8B780FDBE8C32F42C4E6898F112EE7939532
    ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_er 24:32695CA2AFEE8EC98BEBF834B6973F85A2CBC3EF2455437C
    ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ai 20:B0F00910680E144D1D0BD977813D4C075F605BCC
    ike 0:tcci:1100: IKE SA f24a8652e7e9e4e1/49082e6cceeb65f0 SK_ar 20:344EE467F3B0F5133EF10F089CB8E603A9DCE7E0
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5....
    ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220
    ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020
    0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A
    F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A
    C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E
    ike 0:tcci:1100: detected retransmit, resend last message
    ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000
    30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858
    27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211
    5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E
    ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e
    6cceeb65f0
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5....
    ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220
    ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020
    0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A
    F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A
    C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E
    ike 0:tcci:1100: detected retransmit, resend last message
    ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000
    30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858
    27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211
    5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E
    ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e
    6cceeb65f0
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 1: comes 81.7.3.167:500->192.168.230.1:500,ifindex=17....
    ike 1: IKEv1 exchange=Informational id=3d6287aad87551e3/acf75414b3332a0e:0710e2a9 len=92
    ike 1: in 3D6287AAD87551E3ACF75414B3332A0E081005010710E2A90000005C7E1F604937D71228B4F48B2607D84187D5EAE1930582C0BD891
    D5662DD7CF9768AA6574542C36A7D38E6E53CC28A1459BD28FF2E31637BB13106F214D3351B29
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5....
    ike 0: IKEv2 exchange=SA_INIT id=f24a8652e7e9e4e1/0000000000000000 len=220
    ike 0: in F24A8652E7E9E4E100000000000000002120220800000000000000DC2200002C0000002801010004030000080100000303000008020
    0000203000008030000020000000804000014280000680014000046EE5FDF6CDCD3BD747CB940257493686AD0AC9A0BE61939D97B996A68ADE03A
    F32120896BEBCBFEEE2669AC2193351605103F3B95CAB537EB578140818AA3E99555200B9710F8220E3CC03F826A19EE7CDAC05817E305941BC3A
    C79E4B46353290000244AD0A8DD406E6F22740223B6452E91F357A27DE88C27D9DC0CA25F6242461E74000000080000402E
    ike 0:tcci:1100: detected retransmit, resend last message
    ike 0:tcci:1100: out F24A8652E7E9E4E149082E6CCEEB65F02120222000000000000000CC2200002C0000002801010004030000080100000
    30300000802000002030000080300000200000008040000142800006800140000379FA0EABC794B35D48192B9CAB02C2E44F3DED086192ACC4858
    27ABDBEC98B0CD119B355800E7A99FFE6CA9C52D58AFBA48FBA83FD8D9FD019F6AB5A940CC1DDFA9B0ED8D197BC55FAE7FC86FFAE8FE563C17211
    5DB281E31890C5F62EEB841290000143C62031AE11ED39E41B8AFB2B94442E8000000080000402E
    ike 0:tcci:1100: sent IKE msg (retransmit): xxx.xxx.185.68:500->xxx.xxx.4.114:500, len=204, id=f24a8652e7e9e4e1/49082e
    6cceeb65f0
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:0
    ike 0:tcci:airport-acc-lan: using existing connection
    ike 0:tcci:airport-acc-lan: config found
    ike 0:tcci:airport-acc-lan: IPsec SA connect 5 xxx.xxx.185.68->xxx.xxx.4.114:500 negotiating
    ike 0:tcci:1100: negotiation timeout, deleting
    ike 0:tcci: connection expiring due to phase1 down
    ike 0:tcci: deleting
    ike 0:tcci: deleted
    ike 0:tcci: schedule auto-negotiate
    ike 0: comes xxx.xxx.4.114:500->xxx.xxx.185.68:500,ifindex=5....
    ike 0: IKEv2 exchange=SA_INIT id=e690cff4228b72b7/0000000000000000 len=220
     
     
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2733
    • Scores: 269
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/09/27 12:32:04 (permalink)
    0
    I would blame either, or both, side of ISPs because the response to SA_INIT doesn't seem to be reaching the other end, and it's retransmitting. I'm not sure why it comes up when you deconfigure/reconfigure the IPSec.
    I would run the same debugging on both ends when you reconfigure it and comes up. Then after that, I wouldn't have any more way to debug so would open a ticket at TAC to get it looked at another sets of eyes.
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 2733
    • Scores: 269
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/09/27 12:40:10 (permalink)
    0
    Wait a minute. You configured aes128-sha254 then the 40F received 3des-sha384. Do you have different set of IPsec configured on the 200E? Or another device under the same IP trying to establish a tunnel to 40F? Something is fishy in your environment.
    #5
    calamariss
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/26 09:54:39
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/09/27 13:36:07 (permalink)
    0
    Just for the test, I changed the encryption algorithm. both sides are using the same encryption and Authentication.  
    I Know My ISP doesn't have a problem. Because I have another Fortigate 40F(same firmware ) and created multi IPsec connection with other branches and Everything works fine. on The FortiGate 200E, I've two other IPsec connections, one of them is connecting to a Wifi link to another site and an IPsec connection is established(Fortigate-to-FortiGate), and another is connecting via my ISP to other branches (Fortigate to Mikrotik). 
    #6
    calamariss
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/26 09:54:39
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/10/06 09:45:06 (permalink)
    0
    Hi Toshiesumi
    I Solved My problem. Actually, SSL VPN was configured to listen to port TCP 500, and I changed This port number, and the problem was solved. 
    Thnx for responding
     
    #7
    FrancisSmith
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/10/02 18:46:47
    • Status: offline
    Re: IPsec tunnel gone down and never up again 2021/10/06 18:54:08 (permalink)
    0
    I have a little bit idea of it. But I would like to learn more. Thank you!
    #8
    Jump to:
    © 2021 APG vNext Commercial Version 5.5