Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
25783
Views
0
Helpful
24
Replies

ASA to FortiGate VTI Drops at P1 rekey

Go to solution
matt.sherif
Level 1
Level 1

‎11-03-2020 09:53 AM - edited ‎11-03-2020 12:07 PM

Cisco experts, 

 

I have been dealing with this for over 2 months at this point, and I cannot find an answer that seems to check out. I am at a loss, support seems a little slow to respond and I really need to resolve this. So I'll start with my configs

 

crypto ikev2 policy 5
 encryption aes-192
 integrity sha
 group 5
 prf sha512 sha384 sha256 sha md5
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes256
 integrity sha256
 group 5
 prf sha512 sha384 sha256 sha md5
 lifetime seconds 172800
!
crypto ipsec ikev2 ipsec-proposal FORTIGATE_IKEV2
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto ipsec profile FORTIGATE_PROFILE
 set ikev2 ipsec-proposal FORTIGATE_IKEV2
 set pfs group5
 set security-association lifetime kilobytes unlimited
 set security-association lifetime seconds 43200
 responder-only
!
group-policy GROUP_POLICY internal
group-policy GROUP_POLICY attributes
 vpn-tunnel-protocol ikev2 l2tp-ipsec 
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
 default-group-policy GROUP_POLICY
!
tunnel-group x.x.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key ****
 ikev2 local-authentication pre-shared-key ****
!
!
interface Tunnel98
 nameif MBS_MFC
 ip address y.y.y.y 255.255.255.252 
 tunnel source interface Outside
 tunnel destination x.x.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile FORTIGATE_PROFILE

FortiGate Config:

 

config vpn ipsec phase1-interface 
   edit "ASA_P1"
        set interface "wan2"
        set ike-version 2
        set keylife 172800
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set npu-offload disable
        set dhgrp 5
        set remote-gw x.x.x.x
        set psksecret ***
    next
end
config vpn ipsec phase2-interface
    edit "ASA_P2"
        set phase1name "ASA_P1"
        set proposal aes128-sha1
        set dhgrp 5
        set keepalive enable
    next
end
# Tunnel INterface
config system interface
    edit "ASA-P1"
        set vdom "root"
        set ip y.y.y.y 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip asa.tunnle.ip.address 255.255.255.252
        set snmp-index 13
        set interface "wan2"
    next
end

What we're seeing is the tunnel drop at rekeys. It's the strangest thing I have seen. 

 

FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000016 len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E20250000000016000000500000003404355E4C31AA886C0CAD542636D45B84BAEBFB4CFCD3F3599D63A6DE06DBD418383EE507F5C05CE32837E745E68A57FE
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000160000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001600000050000000348EB00CC3E580B4BC42D10FBBB5999D4D2F7A434A9CDB52084E51557084F16C69A85CE95A3D96A9BCE7CD5A029A9FFFB9
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000016
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000017 len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000170000005000000034BAEBFB4CFCD3F3599D63A6DE06DBD418E771425B760E6F1981E05931B07A9BEB7133DBAB950B135C8E1A575423E98C6A
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000170000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E20252800000017000000500000003492D6E203CEAB31A95AEE559076A27897DC0654F8817A5C58FC7DAB269F4D85C46E7E9BDD1F53C2670269A71BFBDB7D37
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000017
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000018 len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000180000005000000034E771425B760E6F1981E05931B07A9BEB9C92DA49CD8AFA182531B6BD509EE618C8B1184EB178D59A2A22FD31D07E5287
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000180000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E20252800000018000000500000003495F01C020136C9949FA77A318D6377A831AA63B90BE2617FF7D8F629EFEC42B1387C2BD380824200AB2233D4568AC702
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000018
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000019 len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001900000050000000349C92DA49CD8AFA182531B6BD509EE61865E8E4AE49E584D1C4C5E05BC6A16B7A94E453D55170CA4D989D3C9B7BF362AA
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E202500000000190000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E202528000000190000005000000034C8F312666A97F415530CE9577AD6802E59AC2A3D8698174074CEDA063817DFA8F1F63A255FA694FD1D66FAB01D296EB5
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:00000019
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001a len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001A000000500000003465E8E4AE49E584D1C4C5E05BC6A16B7A3501C7FBABF3D414023F057ACED30CEEEA59861D924021F04D06E5E9EB00CA8F
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001A0000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001A00000050000000345C08B08E4727C02A9B3D907518F69CBA420AD711B12EAD1F69F38830965DF3587A490F93399AB5EDE3E252B207728C9E
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001a
FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43176s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 276-276s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42623
  DPD sent/recv: 00000000/00000000

FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001b len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001B00000050000000343501C7FBABF3D414023F057ACED30CEE7E0D0D116E0CC252823048833136F2D4F4D25CDAD2BABA98F82A67885385C703
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001B0000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001B0000005000000034995146642FF274688E7E191835C2FC54FE08040C809DFB8223D31A8954688BA20C6474A2CC817E11D819E99867B4276A
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001b
 get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43185s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 285-284s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42615
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43188s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 288-288s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42611
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43190s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 290-290s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42609
  DPD sent/recv: 00000000/00000000

FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001c len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001C00000050000000347E0D0D116E0CC252823048833136F2D49A4B0F4B80C88C85F4B3E091C27E01B2481028A483BA4F7636EE68C54C73F89D
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001C0000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001C000000500000003441EC9F6F62368C823D98D5508BA6C4AA91997C7EE3E2B9E92EF966A54709C51E7C0DE622BD64062FA71FE9C089B9902F
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001c
 get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43194s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 294-294s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42605
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43197s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 297-297s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42602
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43199s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 299-299s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42600
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43200s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 300-300s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42599
  DPD sent/recv: 00000000/00000000

FORTIGATE001 #  get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43201s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 301-301s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42598
  DPD sent/recv: 00000000/00000000

FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001d len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001D00000050000000349A4B0F4B80C88C85F4B3E091C27E01B20AACA18774A61E76FD9E22C769C397DBBC40837314515039DFE2CE394282646F
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001D0000002000000004
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001D0000005000000034F31CD8E07356C9362818A86BD080581C6FBF821E933C6B1D7070A54FBF65B3FD55FD4F10A7CBE7D32E1CEEDBA963D1CE
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001d
 get vpn ike gateway

vd: root/0
name: ASA_P1
version: 2
interface: wan2 8
addr: fortigate.ip:500 -> ASA.ip:500
created: 43205s ago
IKE SA  created: 1/2  established: 1/2  time: 50/85/120 ms
IPsec SA  created: 1/3  established: 1/3  time: 50/73/120 ms

  id/spi: 41338 ab6b332fedbc63ff/da1bb3bb43c47fe9
  direction: initiator
  status: established 304-304s ago = 50ms
  proposal: aes-256-sha256
  SK_ei: 4579eb61bec4255d-b963bd43b68a46c8-b7a46d49c803c24f-50aae113d243da69
  SK_er: 1aa3954ff7a212d6-33bd400958cf10af-09b3aeba9cdba0b4-5a44354c4360bfdd
  SK_ai: 7efc2564601f202b-5810bec086fe92c2-fbc5ea2cd1c5813d-25a02faaef86e18c
  SK_ar: dc223be050721c12-3b03c37910131b8c-9918454502851878-4094b55c4d741cd8
  lifetime/rekey: 43200/42595
  DPD sent/recv: 00000000/00000000

FORTIGATE001 # ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=INFORMATIONAL id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001e len=80
ike 0: in AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001E000000502A0000340AACA18774A61E76FD9E22C769C397DBCFD54AE54585CD168C39679271CD06BEF1F0AC9921B0AD9F486EA59799ADA847
ike 0:ASA_P1:41338: dec AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025000000001E000000282A0000040000000801000000
ike 0:ASA_P1:41338: received informational request
ike 0:ASA_P1:41338: processing delete request (proto 1)
ike 0:ASA_P1:41338: deleting IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9
ike 0:ASA_P1:41338: schedule delete of IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9
ike 0:ASA_P1:41338: enc 0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41338: out AB6B332FEDBC63FFDA1BB3BB43C47FE92E2025280000001E0000005000000034C944DFB8A5FC5B261E93D65FD5E46496F5B938C879E17A87385F4CECCE001314495374B6BE1A1B9CE783D71E158A15B5
ike 0:ASA_P1:41338: sent IKE msg (INFORMATIONAL_RESPONSE): fortigate.ip:500->ASA.ip:500, len=80, id=ab6b332fedbc63ff/da1bb3bb43c47fe9:0000001e
ike 0:ASA_P1:41338: scheduled delete of IKE SA ab6b332fedbc63ff/da1bb3bb43c47fe9
ike 0:ASA_P1: deleting IPsec SA with SPI 720456aa
ike 0:ASA_P1:ASA_P2: deleted IPsec SA with SPI 720456aa, SA count: 0
ike 0:ASA_P1: sending SNMP tunnel DOWN trap for ASA_P2
ike 0:ASA_P1: connection expiring due to phase1 down
ike 0:ASA_P1: deleting
ike 0:ASA_P1: flushing 
ike 0:ASA_P1: flushed 
ike 0:ASA_P1: deleted
ike 0:ASA_P1: set oper down
ike 0:ASA_P1: schedule auto-negotiate
ike 0:ASA_P1:ASA_P2: IPsec SA connect 8 fortigate.ip->ASA.ip:0
ike 0:ASA_P1: traffic triggered, serial=15 17:172.30.100.9:18361->17:10.3.221.15:10002
ike 0:ASA_P1:ASA_P2: config found
ike 0:ASA_P1: created connection: 0x182a7830 8 fortigate.ip->ASA.ip:500.
ike 0:ASA_P1: IPsec SA connect 8 fortigate.ip->ASA.ip:500 negotiating
ike 0:ASA_P1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:ASA_P1:41339: out 1BAAE8DCD4E4780100000000000000002120220800000000000001C02200003800000034010100050300000C0100000C800E01000300000802000005030000080300000C0300000804000005000000080400000E28000108000E0000F3B7EC2895E894E4F0074DA259F9E13A9185936AEE18CF51FDB9AB03037EDC2ECE0ED7AE15619C6EF68EAF16193DB0C230B336757959437305BF1CBBEBB527BB840659E14BD7B652DBEE7E8747654F311E6FEA44263CC79B56CB0100506BF40F3E3CD93E8BFB1EE70D9C1668FF983ADA838001D88AEA2193CED81A29E84394CA0AEB444BEA3B4DCD2385EF997B10CB0DD571906CF4025689FB5F2C5D661DB84B4A70A74285DAD6160D235D03B6250C696019A1BB6741F02C96861BE0661EAF87718B77467FC3D5E5062752FD867F86E0317089B6172F57C86E0E0EC11B745BFF3888422A756843F360C0323A484EF0D0E537CE1965B3B1D43D6F747376FEA131290000247029FF3CC9BF16BF93A9326F8D6FC3EB17AAB673990387A17F62A17A71DA46612900001C00004004147A3D9C780029CF3E030EC9DD7E9303FE8D91312900001C00004005473FF097A7F512BB589787B58EBFF105274EAC3A000000080000402E
ike 0:ASA_P1:41339: sent IKE msg (SA_INIT): fortigate.ip:500->ASA.ip:500, len=448, id=1baae8dcd4e47801/0000000000000000
ike 0:ASA_P1: carrier down
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=1baae8dcd4e47801/6222384a77d2f9a4 len=679
ike 0: in 1BAAE8DCD4E478016222384A77D2F9A42120222000000000000002A7220000300000002C010100040300000C0100000C800E01000300000802000005030000080300000C000000080400000E28000108000E0000485713DEBDB1EC89FAC9F61999CAC749D48E5EE690251BFE887F8324EAD304D7D64D27B897DA7A5F6CA982B1CFB1CC6694A247DEA0943386E24B98639754ACC06A610632DEE9FF39B2818C4BAC36A47345B675F1981A836479DE5CD2BB087DBA69A6A1A39152A601F2C11D99838BED12FBDDCD23763BF47AB8C8DF6B72C1950BFD5F4D5C3AF67BA6212953B33550B91BD2456FEC27DBECE4DD904519A1D4FEB9DD3C491376EE5A82F66A31890DB04C0ABAC43FAEDB0F55CA22DC417EE8221D5009A9104BC384E89ACAE0ABAA270DDD3FDA2EF680BBB34E71D598C5DA2CF3D03EE2ECD4AC8A0EA5749E4C8E6AC99335DD8CBC00C58C4719376594B6610E8918122B000044092A5B70E9EFD848A843B857F723DA3C98A9D3F968DDDB0B23ACD1EEC0895069252BEE46EC449900644FBED608726EE8E1F9D815D1C99C0042CD8B7634D94D112B000017434953434F2D44454C4554452D524541534F4E2900003B434953434F28434F505952494748542926436F7079726967687420286329203230303920436973636F2053797374656D732C20496E632E2900001C010040040A4835243A624F13080E384930B8425FA4E358682600001C010040058FA51839F0F37FE25BA305641808444B0E1238F62900006904C89513680197280A2C55C3FCD390F53A053BC9FBC43028C5D3E3080C10448B2C77BA24539760BBF9A1725F261B289843955D0737D585969D4BD2C345632636F6D1C3978DE28FB7710017C0B00CE3C2304F9C7D21799CAD0ED8B90C579F1A0299E790F3872B0000080000402E000000144048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:ASA_P1:41339: initiator received SA_INIT response
ike 0:ASA_P1:41339: processing notify type NAT_DETECTION_SOURCE_IP
ike 0:ASA_P1:41339: processing NAT-D payload
ike 0:ASA_P1:41339: NAT not detected 
ike 0:ASA_P1:41339: process NAT-D
ike 0:ASA_P1:41339: processing notify type NAT_DETECTION_DESTINATION_IP
ike 0:ASA_P1:41339: processing NAT-D payload
ike 0:ASA_P1:41339: NAT not detected 
ike 0:ASA_P1:41339: process NAT-D
ike 0:ASA_P1:41339: processing notify type FRAGMENTATION_SUPPORTED
ike 0:ASA_P1:41339: incoming proposal:
ike 0:ASA_P1:41339: proposal id = 1:
ike 0:ASA_P1:41339:   protocol = IKEv2:
ike 0:ASA_P1:41339:      encapsulation = IKEv2/none
ike 0:ASA_P1:41339:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:ASA_P1:41339:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:ASA_P1:41339:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:ASA_P1:41339:         type=DH_GROUP, val=MODP2048.
ike 0:ASA_P1:41339: matched proposal id 1
ike 0:ASA_P1:41339: proposal id = 1:
ike 0:ASA_P1:41339:   protocol = IKEv2:
ike 0:ASA_P1:41339:      encapsulation = IKEv2/none
ike 0:ASA_P1:41339:         type=ENCR, val=AES_CBC (key_len = 256)
ike 0:ASA_P1:41339:         type=INTEGR, val=AUTH_HMAC_SHA2_256_128
ike 0:ASA_P1:41339:         type=PRF, val=PRF_HMAC_SHA2_256
ike 0:ASA_P1:41339:         type=DH_GROUP, val=MODP2048.
ike 0:ASA_P1:41339: lifetime=43200
ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ei 32:65990A7A2B3AAE5F0CAF9CB1B300A3F0765BFBE95CDE804DCA43E20F138E44A6
ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_er 32:D90A7C8134334D8DD9532CFB615F12BF75937B0F84EBAA79D18DEB241636D2B7
ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ai 32:45A9EDAA4963C7BCEEABE7261CE067406EFC9EECC25F5385113E7DE8B81A0A48
ike 0:ASA_P1:41339: IKE SA 1baae8dcd4e47801/6222384a77d2f9a4 SK_ar 32:85819CEDACA5AFB80130B3B654694ED81FC51CC49064B53042ED3E0F78A397C3
ike 0:ASA_P1:41339: initiator preparing AUTH msg
ike 0:ASA_P1:41339: sending INITIAL-CONTACT
ike 0:ASA_P1:41339: enc 2900000C01000000A29B0AA2270000080000400029000028020000006B8A574C4CEB8E74B09EF70F5AEA5B9E956251063455DC841CA8C04DEB78D98621000008000040242C00002C00000028010304033592D1F50300000C0100000C800E0080030000080300000200000008050000002D00002802000000070000100000FFFFAC1E6409AC1E6409070000100000FFFF00000000FFFFFFFF0000002802000000070000100000FFFF0A03DD0F0A03DD0F070000100000FFFF00000000FFFFFFFF0F0E0D0C0B0A0908070605040302010F
ike 0:ASA_P1:41339: out 1BAAE8DCD4E478016222384A77D2F9A42E2023080000000100000110230000F431C270F98F4911F6B13BD59FDB81E9727449EB55F204F173F26B372C289EBAB7E17C7B3E3EFCFC0A57D53AD125A162BFC0F9B7CA4CF74A903A59C85EDB91EDC8594433BE2DB02CFE4ABA30E6617EA5C7DCDF5168CD100127D5563686E7785462E8793BA21C829F969A57902478AB7CDE913572A8553B333E2E433A4C16775F7311522383B160B3BF84528E640BE815FC9F48E22829A258E0CDE8F4DFA9DA5070137E9F23118D1FA4E4E4E63A37D085680CD4A8C8F027A6607A2009CECED17C53CFB83ABA9654A04CB41D11DC677EAE51A0C6B81401956DE52F3099FC5F535AAB63D2C79B061334B6C42B885FFEBE4EC6
ike 0:ASA_P1:41339: sent IKE msg (AUTH): fortigate.ip:500->ASA.ip:500, len=272, id=1baae8dcd4e47801/6222384a77d2f9a4:00000001
ike 0: comes ASA.ip:500->fortigate.ip:500,ifindex=8....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=1baae8dcd4e47801/6222384a77d2f9a4:00000001 len=256
ike 0: in 1BAAE8DCD4E478016222384A77D2F9A42E20232000000001000001002B0000E4D1193D9931EBB1318042BBFB0886AD433C647D205FF73C3917D59B5C6490243925245C2D005C3701C9C307F4C159EB8487F5309BA646C7FE7CE58646B1CE076B3F44A3D94939761C5387886EB6FF92B4C1A3FF2E859EE2A9769D5571969641091AA11FF570114B7A356321A44457BC4A21D0D6C22662ACBA0717582DD59D3D994F9B127C0BDF6EA1E1B3B424B5990EFA7A75D282090D50BD957B4DA6D3C3BFC100BF204A007339DB736EDB31B82B5DD6C026EFAFF8A612295E80FDBED8B59D194AB9C6FE5BCEB74B91F3D09C8F3824BB867EA24533C84FE58DFD304270463CB1
ike 0:ASA_P1:41339: dec 1BAAE8DCD4E478016222384A77D2F9A42E20232000000001000000D42B000004240000146022394A64E50AE306E7173CC61CB1DD2700000C01000000614CE7322100002802000000F9DC383063256168A6CCAD1F9E7E60F4A8C37DEB8F1564B670AB1EB6E69D623C2C00002C00000028010304038F11EA800300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF2900001801000000070000100000FFFF00000000FFFFFFFF290000080100400A000000080100400B
ike 0:ASA_P1:41339: initiator received AUTH msg
ike 0:ASA_P1:41339: peer identifier IPV4_ADDR ASA.ip
ike 0:ASA_P1:41339: auth verify done
ike 0:ASA_P1:41339: initiator AUTH continuation
ike 0:ASA_P1:41339: authentication succeeded
ike 0:ASA_P1:41339: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:ASA_P1:41339: processing notify type NON_FIRST_FRAGMENTS_ALSO
ike 0:ASA_P1:41339: established IKE SA 1baae8dcd4e47801/6222384a77d2f9a4
ike 0:ASA_P1: set oper up
ike 0:ASA_P1:41339:2070: peer proposal:
ike 0:ASA_P1:41339:2070: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:2070: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:ASA_P2:2070: comparing selectors
ike 0:ASA_P1:41339:ASA_P2:2070: matched by rfc-rule-2
ike 0:ASA_P1:41339:ASA_P2:2070: phase2 matched by subset
ike 0:ASA_P1:41339:ASA_P2:2070: accepted proposal:
ike 0:ASA_P1:41339:ASA_P2:2070: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:ASA_P2:2070: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:ASA_P2:2070: autokey
ike 0:ASA_P1:41339:ASA_P2:2070: incoming child SA proposal:
ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1:
ike 0:ASA_P1:41339:ASA_P2:2070:   protocol = ESP:
ike 0:ASA_P1:41339:ASA_P2:2070:      encapsulation = TUNNEL
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:ASA_P1:41339:ASA_P2:2070:         type=INTEGR, val=SHA
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ESN, val=NO
ike 0:ASA_P1:41339:ASA_P2:2070:         PFS is disabled
ike 0:ASA_P1:41339:ASA_P2:2070: matched proposal id 1
ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1:
ike 0:ASA_P1:41339:ASA_P2:2070:   protocol = ESP:
ike 0:ASA_P1:41339:ASA_P2:2070:      encapsulation = TUNNEL
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:ASA_P1:41339:ASA_P2:2070:         type=INTEGR, val=SHA
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ESN, val=NO
ike 0:ASA_P1:41339:ASA_P2:2070:         PFS is disabled
ike 0:ASA_P1:41339:ASA_P2:2070: lifetime=21600
ike 0:ASA_P1:41339:ASA_P2:2070: replay protection enabled
ike 0:ASA_P1:41339:ASA_P2:2070: set sa life soft seconds=21298.
ike 0:ASA_P1:41339:ASA_P2:2070: set sa life hard seconds=21600.
ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA selectors #src=1 #dst=1
ike 0:ASA_P1:41339:ASA_P2:2070: src 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:ASA_P2:2070: dst 0 7 0:0.0.0.0-255.255.255.255:0
ike 0:ASA_P1:41339:ASA_P2:2070: add IPsec SA: SPIs=3592d1f5/8f11ea80
ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA dec spi 3592d1f5 key 16:C4C909F73615943F0DDCCB54960CCFBE auth 20:66B6BF1BC76CF81885FB13CD2004B1DC84F1D1EA
ike 0:ASA_P1:41339:ASA_P2:2070: IPsec SA enc spi 8f11ea80 key 16:A62421FCEFCDD1C6297F204DB965C1EF auth 20:460D776FC910B7664CB2F581223D57FBE6433091
ike 0:ASA_P1:41339:ASA_P2:2070: added IPsec SA: SPIs=3592d1f5/8f11ea80
ike 0:ASA_P1:41339:ASA_P2:2070: sending SNMP tunnel UP trap
ike 0:ASA_P1: carrier up

Cisco Debugs:

 

Skipping static map = __vti-crypto-map-9-0-98, seq = 65280: no ACL configured
IPSEC DEBUG: No NP inbound permit rule for SPI 0x8F11EA80
IPSEC: Completed host IBSA update, SPI 0x8F11EA80
IPSEC: Creating inbound VPN context, SPI 0x8F11EA80
    Flags: 0x00000086
    SA   : 0x00007f36a2d30f70
    SPI  : 0x8F11EA80
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x009061E4
    SCB  : 0x37B0EAF3
    Channel: 0x00007f368e3a95c0
IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8174)
IPSEC: Completed inbound VPN context, SPI 0x8F11EA80
    VPN handle: 0x00000000009086fc
IPSEC: Updating outbound VPN context 0x009061E4, SPI 0x3592D1F5
    Flags: 0x00000085
    SA   : 0x00007f36a1bbe4b0
    SPI  : 0x3592D1F5
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x009086FC
    SCB  : 0x37B103B1
    Channel: 0x00007f368e3a95c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x3592D1F5, old value: 0, new value: 1, (ctm_ipsec_update_vpn_context:8370)
IPSEC: Completed outbound VPN context, SPI 0x3592D1F5
    VPN handle: 0x00000000009061e4
IPSEC: Completed outbound inner rule, SPI 0x3592D1F5
    Rule ID: 0x00007f36b13765d0
IPSEC: Completed outbound outer SPD rule, SPI 0x3592D1F5
    Rule ID: 0x00007f36b13766e0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x3592D1F5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12558)
IPSEC: New inbound tunnel flow rule, SPI 0x8F11EA80
    Src addr: 0.0.0.0
    Src mask: 0.0.0.0
    Dst addr: 0.0.0.0
    Dst mask: 0.0.0.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6320)
IPSEC: Completed inbound tunnel flow rule, SPI 0x8F11EA80
    Rule ID: 0x00007f36a1073680
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704)
IPSEC: New inbound decrypt rule, SPI 0x8F11EA80
    Src addr: x.x.x.x
    Src mask: 255.255.255.255
    Dst addr: x.x.x.x
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x8F11EA80
    Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6482)
IPSEC: Completed inbound decrypt rule, SPI 0x8F11EA80
    Rule ID: 0x00007f369095a830
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704)
IPSEC: New inbound permit rule, SPI 0x8F11EA80
    Src addr: x.x.x.x
    Src mask: 255.255.255.255
    Dst addr: x.x.x.x
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x8F11EA80
    Use SPI: true
IPSEC: Increment SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6482)
IPSEC: Completed inbound permit rule, SPI 0x8F11EA80
    Rule ID: 0x00007f369095a940
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5704)
IPSEC: Decrement SA NP ref counter for inbound SPI 0x8F11EA80, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12558)
IPSEC: Increment SA HW ref counter for inbound SPI 0x8F11EA80, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:805)
IKEv2-PLAT-4: Received PFKEY add SA for SPI 0x3592D1F5, error FALSE
IPSEC: Added SA to last received DB, SPI: 0x8F11EA80, user: 162.155.10.162, peer: 162.155.10.162, SessionID: 0x0048C000
IPSEC DEBUG: Inbound SA (SPI 0x8F11EA80) state change from embryonic to active
IPSEC DEBUG: Outbound SA (SPI 0x3592D1F5) state change from embryonic to active
IKEv2-PLAT-4: Received PFKEY update SA for SPI 0x8F11EA80, error FALSE
IKEv2-PLAT-4: Success on pfkey update
IKEv2-PLAT-4: (950): PSH added CTM sa hdl 121543031
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC
IKEv2-PROTO-7: (950): Action: Action_Null
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT
IKEv2-PROTO-4: (950): DPD timer started for 10 secs
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PARENT_NEG_COMPLETE
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE
IKEv2-PROTO-7: (950): Closing the PKI session
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE
IKEv2-PROTO-4: (950): Checking for duplicate IKEv2 SA
IKEv2-PROTO-4: (950): No duplicate IKEv2 SA found
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK
IKEv2-PROTO-4: (950): Starting timer (8 sec) to delete negotiation context
IKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=10.6.7.19, sport=1986, daddr=10.3.48.14, dport=41216
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap.
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 2: skipping because 5-tuple does not match ACL outside_cryptomap_1.
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 3: skipping because 5-tuple does not match ACL outside_cryptomap_2.
IPSEC(crypto_map_check)-5: Checking crypto map outside_map 5: skipping incomplete map.  No peer, access-list or transform-set specified.
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 6: matched.
IKEv2-PROTO-7: (947): Restarting DPD timer 10 secs

IKEv2-PROTO-7: (946): Restarting DPD timer 10 secs

tuIKEv2-PROTO-7: (950): SM Trace-> SA: I_SPI=1BAAE8DCD4E47801 R_SPI=6222384A77D2F9A4 (R) MsgID = 00000001 CurState: READY Event: EV_DEL_NEG_TMO
IKEv2-PROTO-7: (950): Deleting negotiation context for peer message ID: 0x1
!Tunnel is down here

Any thoughts? Any help? FortiGate is running FortiOS 6.2.5 and the ASA was running 9.8(4) but was upgraded at TACs request to 9.9(2).

 

Any help is welcome.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
matt.sherif
Level 1
Level 1

‎11-11-2020 02:14 PM

Well, what seemed like an eternity, we found the issue. After a lot of debugging, we found this on the ASA:

 

IKEv2-PLAT-4: (1134): idle timeout disable for VTI session  
IKEv2-PLAT-4: (1134): session timeout set to: 720

So we looked, and noticed that the group-policy for the tunnel doesn't have a lifetime set. Which means it's inheriting the default group-policy. Which was set to 720 minutes. 

 

When we set:

  vpn-session-timeout none

On the group-policy for the VPN tunnel to the FortiGate. The tunnel stopped dropping.

 

 

 

 

 

View solution in original post

0 Helpful
24 Replies 24

Go to solution
Rob Ingram
VIP
VIP

‎11-03-2020 10:10 AM

Hi @matt.sherif 

Probably lifetime timers mismatch.

 

Whilst your cisco IKEv2 policy 5 has the same lifetime of 172800 as the Fortigate, it won't be used as the encryption algorithms defined are different, so they will match on policy 10 which have different lifetime timers. Modify one of your policies to be exactly the same on the cisco as on the fortigate.

 

HTH

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to Rob Ingram

‎11-03-2020 10:22 AM

Rob, 

 

Thanks for replying, that was an error when sanitizing the configs. IKEv2 Policy 10 indeed has a 172800 rekey lifetime. I'm just mentally exhausted from trying to  address this.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-03-2020 10:33 AM

Remote peer is behid NAT whcih make idetification change ?

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to MHM Cisco World

‎11-03-2020 10:35 AM

Thanks for replying. No neither peer is behind a NAT, as you can see both peers are on public addresses:

 

FortiGate.IP:500 ---> ASA.IP:500

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matt.sherif

‎11-03-2020 11:09 AM

phase 2 encrypt and hash is different in both side make it match.
aes128 to aes.

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to MHM Cisco World

‎11-03-2020 11:24 AM

They do match, on Cisco ASA AES is AES 128, on FortiGate you have to specify AES128.

 

As Evident by this:

ike 0:ASA_P1:41339:ASA_P2:2070: incoming child SA proposal: <--- Incoming proposal from ASA (IKEv2 Policy 10)
ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1:
ike 0:ASA_P1:41339:ASA_P2:2070:   protocol = ESP:
ike 0:ASA_P1:41339:ASA_P2:2070:      encapsulation = TUNNEL
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:ASA_P1:41339:ASA_P2:2070:         type=INTEGR, val=SHA
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ESN, val=NO
ike 0:ASA_P1:41339:ASA_P2:2070:         PFS is disabled
ike 0:ASA_P1:41339:ASA_P2:2070: matched proposal id 1
ike 0:ASA_P1:41339:ASA_P2:2070: proposal id = 1:
ike 0:ASA_P1:41339:ASA_P2:2070:   protocol = ESP:
ike 0:ASA_P1:41339:ASA_P2:2070:      encapsulation = TUNNEL
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ENCR, val=AES_CBC (key_len = 128)
ike 0:ASA_P1:41339:ASA_P2:2070:         type=INTEGR, val=SHA
ike 0:ASA_P1:41339:ASA_P2:2070:         type=ESN, val=NO
ike 0:ASA_P1:41339:ASA_P2:2070:         PFS is disabled
ike 0:ASA_P1:41339:ASA_P2:2070: lifetime=21600

 

 

If they didn't match the Tunnel wouldn't form at all. This is not the problem I am having.

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matt.sherif

‎11-03-2020 11:59 AM - edited ‎11-05-2020 06:28 AM

......

 

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to MHM Cisco World

‎11-03-2020 12:09 PM

Where does it say tunnel type is L2TP-IPSEC? That's the group policy.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matt.sherif

‎11-03-2020 12:30 PM

check the config I send VPN-tunnel-protocol was L2TP-IPSec i only delete it, and add tunnel type IPSec L2L.

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to MHM Cisco World

‎11-03-2020 12:27 PM

group-policy group_policy attributes
von-tunnel-protocol ikev2 

tunnel-group x.x.x.x type ipsec-l2l <----- ipsec-lan-2-lan, so site to site. No?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matt.sherif

‎11-03-2020 01:25 PM - edited ‎11-05-2020 06:29 AM

.....

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-03-2020 01:26 PM

under fortigate for ip-in-ip selector
set protocol 4

0 Helpful

Go to solution
matt.sherif
Level 1
Level 1
In response to MHM Cisco World

‎11-04-2020 08:31 AM

There is no IP-in-IP tunnel in this scenario. Where did you get that idea from?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to matt.sherif

‎11-04-2020 09:36 AM - edited ‎11-05-2020 06:29 AM

.....

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents