cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
353
Views
0
Helpful
4
Replies
amohod
Beginner

Cisco ASA 5505 IPSEC VPN to fortigate firewall going up and down

We have site to site VPN between our cisco ASA 5505 firewall and customer FortiGate firewall. Both firewalls have two internet links. Below are scenario where IPSEC VPN is working

Our ISP1 to Customer  ISP1

Our ISP1 to Customer ISP2

 

Below scenario where VPN not working and it is going up and down

Our ISP2 to Customer ISP1

Our ISP2 to Customer ISP2

 

In non working scenario when we run debug, we got weird message

 

20:14:27 [IKEv1]IP = 38.X.165.1XX, Attempting to establish a phase2 tunnel on outside interface but phase1 tunnel is on ISP2 interface. Tearing down old phase1 tunnel due to a potential routing change.
Sep 06 20:14:27 [IKEv1]NAT-T disabled in crypto map <amzn_vpn_map> 3.

 Sep 06 20:14:35 [IKEv1]IP = 38.X.165.1XX IKE Initiator: New Phase 1, Intf inside, IKE Peer 38.X.165.1XX local Proxy Address 172.31.67.128, remote Proxy Address 172.30.66.0, Crypto map (<amzn_vpn_map>)
Sep 06 20:14:35 [IKEv1 DEBUG]Group = 38.X.165.1XX, IP = 38.X.165.1XX, IKE SA MM:83be0062 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 35
Sep 06 20:14:35 [IKEv1 DEBUG]IP = 38.X.165.1XX, constructing ISAKMP SA payload

 

When we were testing ISP2 in our end, we put the ISP1 (outside) physically down. Still we are not clear why we getting this message. I think VPN is going up and down because of this error. Please advice why we are getting this error and how to fix it.

 

 

4 REPLIES 4
Sheraz.Salim
VIP Advisor

can you share your firewall configuration and also what software version on you in the ASA. have you configure the object tracking in your configurations?

please do not forget to rate.

I will not be able to share complete config of ASA due to security reasons. Let me know if you are looking any specific part of config. ASA IOS version is 9.0(1). Regarding object tracking, you are talking SLA monitoring right. Yes we have SLA monitoring configured for ISP1 default route

amohod
Beginner

Please help me with this issue.

Hi amohod.

 

please could you share the configuration and did you see my earlier response

please do not forget to rate.