Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1297
Views
0
Helpful
4
Replies

Cisco ASA 5505 IPSEC VPN to fortigate firewall going up and down

amohod
Level 1
Level 1

‎09-06-2021 02:24 PM - edited ‎09-06-2021 02:30 PM

We have site to site VPN between our cisco ASA 5505 firewall and customer FortiGate firewall. Both firewalls have two internet links. Below are scenario where IPSEC VPN is working

Our ISP1 to Customer  ISP1

Our ISP1 to Customer ISP2

 

Below scenario where VPN not working and it is going up and down

Our ISP2 to Customer ISP1

Our ISP2 to Customer ISP2

 

In non working scenario when we run debug, we got weird message

 

20:14:27 [IKEv1]IP = 38.X.165.1XX, Attempting to establish a phase2 tunnel on outside interface but phase1 tunnel is on ISP2 interface. Tearing down old phase1 tunnel due to a potential routing change.
Sep 06 20:14:27 [IKEv1]NAT-T disabled in crypto map <amzn_vpn_map> 3.

 Sep 06 20:14:35 [IKEv1]IP = 38.X.165.1XX IKE Initiator: New Phase 1, Intf inside, IKE Peer 38.X.165.1XX local Proxy Address 172.31.67.128, remote Proxy Address 172.30.66.0, Crypto map (<amzn_vpn_map>)
Sep 06 20:14:35 [IKEv1 DEBUG]Group = 38.X.165.1XX, IP = 38.X.165.1XX, IKE SA MM:83be0062 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 35
Sep 06 20:14:35 [IKEv1 DEBUG]IP = 38.X.165.1XX, constructing ISAKMP SA payload

 

When we were testing ISP2 in our end, we put the ISP1 (outside) physically down. Still we are not clear why we getting this message. I think VPN is going up and down because of this error. Please advice why we are getting this error and how to fix it.

 

 

Labels:
0 Helpful
4 Replies 4

Sheraz.Salim
VIP
VIP

‎09-06-2021 11:03 PM

can you share your firewall configuration and also what software version on you in the ASA. have you configure the object tracking in your configurations?

please do not forget to rate.
0 Helpful

amohod
Level 1
Level 1
In response to Sheraz.Salim

‎09-12-2021 01:16 PM

I will not be able to share complete config of ASA due to security reasons. Let me know if you are looking any specific part of config. ASA IOS version is 9.0(1). Regarding object tracking, you are talking SLA monitoring right. Yes we have SLA monitoring configured for ISP1 default route

0 Helpful

amohod
Level 1
Level 1

‎09-17-2021 02:39 PM

Please help me with this issue.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to amohod

‎09-18-2021 12:34 AM

Hi amohod.

 

please could you share the configuration and did you see my earlier response

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents