Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1801
Views
2
Helpful
23
Replies

FTD (Behind NAT ISP Modem) FMC site-to-site Fortigate

bristi
Level 1
Level 1

‎12-16-2023 06:52 AM

We have Cisco FTD 1150 and I have established a site-to-site tunnel with a FortiGate device. FTD is situated behind (NAT) through an Internet Service Provider (ISP) modem, resulting in a private IP configuration. Despite configuring the connection type as 'Originate Only' instead of bidirectional, I encountered issues with traffic passing through the tunnel. I have tried various solutions, including enabling NAT-Traversal, but the problem persists. Upon analyzing the debug logs, I noticed that the FTD shows both encapsulation and decapsulation counters, while the FortiGate only displays encapsulation counters without any corresponding decapsulation counters. I am seeking assistance in troubleshooting this matter, as it has become a source of frustration for me. Please advise on the information you need from my end to further investigate and resolve this issue. Cisco TAC kept insisting that issue is coming from ISP. Sorry I had to hide the public IP's and replace with x.x.x.x

From FTD

> show crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: CSM_outside-goplc1_map, seq num: 2, local addr: 10.11.255.5

access-list 10.10.216.0-interesting-traffic extended permit ip 10.10.216.0 255.255.255.240 10.11.20.0 255.255.255.0 log
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.10.216.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.11.20.0/255.255.255.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 7935, #pkts encrypt: 7935, #pkts digest: 7935
#pkts decaps: 6696, #pkts decrypt: 6696, #pkts verify: 6696
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7935, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

From Fortigate

diagnose vpn tunnel list name Headoffice
list ipsec tunnel by names in vd 0
------------------------------------------------------

proxyid_num=1 child_num=0 refcnt=6 ilast=1 olast=0 ad=/0
stat: rxp=0 txp=28837 rxb=0 txb=2420988
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1362
natt: mode=keepalive draft=0 interval=10 remote_port=4500
fec: egress=0 ingress=0
proxyid=Headoffice proto=0 sa=1 ref=3 serial=2
src: 0:10.11.20.0-10.11.20.255:0
dst: 0:10.10.216.0-10.10.216.15:0
SA: ref=3 options=10024 type=00 soft=0 mtu=1422 expire=20765/0B replaywin=0
seqno=1d88 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=28503/28800
dec: spi=8e3faaa1 esp=aes key=32 8d96bdf6bd394779a9049923ec95ba5ec31ff148eaf4ae93f4d49636d47c39a6
ah=sha256 key=32 fac1966f56b065a08456e5ff0ff6869676728eb0589df65ea417a4811532ee71
enc: spi=0719df97 esp=aes key=32 5f8e16550d144f87eef61b5a7128311e00a197cadf5d0d839d2300fc6d791465
ah=sha256 key=32 4e6bcac979645cd39cff10676468912378773c8edc5cda02b40aa890b523c4e9
dec:pkts/bytes=0/0, enc:pkts/bytes=15118/1874352
npu_flag=00 npu_rgwy=x.x.x.x npu_lgwy=195.158.86.175 npu_selid=e dec_npuid=0 enc_npuid=0
run_tally=0

 

Labels:
0 Helpful
23 Replies 23

MHM Cisco World
VIP
VIP

‎12-16-2023 09:37 AM

Ping from LAN to LAN with at least 100 ping count 

Then check the encap increase with this number ?

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-16-2023 11:13 AM

I attempted that, and the only aspect that isn't showing an increase is the decapsulation on the FortiGate. However, the issue is certainly not originating from the FortiGate

0 Helpful

MHM Cisco World
VIP
VIP
In response to bristi

‎12-16-2023 11:32 AM

Can you share packet tracer of this s2s vpn (please add detail to your packet tracer)

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-16-2023 11:52 AM

Alright, so you're asking me to ping from a host located behind the FTD to another host situated behind the FortiGate using FTD packet tracer, correct?

MHM Cisco World
VIP
VIP
In response to bristi

‎12-16-2023 12:15 PM

Dont use ping use tcp traffic in packet tracer

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-16-2023 12:51 PM

I'm not sure if this is you're after, see below, it is allowed There is an option in FTD packet tracer called - Treat the simulated packet as an IPsec/SSL VPN decrypted packet. Shall I use it?

Packet Tracer TCP

Interface: Ethernet1/11.216
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: 10.10.216.5
Source Port: ssh
Source SPI:
Destination Type: IPv4
Destination IP value: 10.11.20.51
Destination port: ssh
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: IC-FTD02
Run trace on all cluster members: false

Device details
Name: IC-FTD02
ID: 5322b646-feb8-11ed-b585-fec3381dfb76
Type: Device

Phase 1
ID: 1
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information: Input route lookup returned ifc outside-melita1 is not same as existing ifc outside-goplc1Doing adjacency lookup on existing ifc outside-goplc1
Elapsed Time: 52736 ns

Phase 2
ID: 2
Type: ECMP load balancing
Result: ALLOW
Config:
Additional Information: ECMP load balancingFound next-hop 10.11.255.6 using egress ifc outside-goplc1(vrfid:0)
Elapsed Time: 3072 ns

Phase 3
ID: 3
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config: route-map FMC_GENERATED_PBR_1699202772888 permit 5 match ip address ic-dmz-vps-outbound set interface outside-goplc1 outside-melita1
Additional Information: Matched route-map FMC_GENERATED_PBR_1699202772888, sequence 5, permit Found next-hop 10.11.255.6 using egress ifc outside-goplc1
Elapsed Time: 512 ns

Phase 4
ID: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: NAT divert to egress interface outside-goplc1(vrfid:0)Untranslate 10.11.20.51/22 to 10.11.20.51/22
Elapsed Time: 3072 ns

Phase 5
ID: 5
Type: OBJECT_GROUP_SEARCH
Result: ALLOW
Config:
Additional Information: Source Object Group Match Count: 4 Destination Object Group Match Count: 3 Object Group Search: 12
Elapsed Time: 0 ns

Phase 6
ID: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: IC-Security-Policy - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: [WAN] Block Bad URLs
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x1519782cdcb0, priority=12, domain=permit, deny=false hits=16177306, user_data=0x15195f9bbe40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any,, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 307 ns

Phase 7
ID: 7
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x15197c398330, priority=7, domain=conn-set, deny=false hits=2998329, user_data=0x15197adacf40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 307 ns

Phase 8
ID: 8
Type: NAT
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: Static translate 10.10.216.5/22 to 10.10.216.5/22 Forward Flow based lookup yields rule: in id=0x15197a80fef0, priority=6, domain=nat, deny=false hits=5100, user_data=0x15197d6aa880, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=outside-goplc1(vrfid:0)
Elapsed Time: 307 ns

Phase 9
ID: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x151974e57be0, priority=0, domain=nat-per-session, deny=false hits=79536255, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 307 ns

Phase 10
ID: 10
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x15197d712dc0, priority=0, domain=inspect-ip-options, deny=true hits=4525844, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 307 ns

Phase 11
ID: 11
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x151979ad18b0, priority=20, domain=lu, deny=false hits=164962, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 24064 ns

Phase 12
ID: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: out id=0x1519782db330, priority=70, domain=encrypt, deny=false hits=913, user_data=0xb9e8944, cs_id=0x15197e3dd7f0, reverse, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any(vrfid:65535), output_ifc=outside-goplc1
Elapsed Time: 11264 ns

Phase 13
ID: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: Forward Flow based lookup yields rule: out id=0x15197fa4e2f0, priority=6, domain=nat-reverse, deny=false hits=5101, user_data=0x15197ceb6ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=outside-goplc1(vrfid:0)
Elapsed Time: 2560 ns

Phase 14
ID: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151978399960, priority=70, domain=ipsec-tunnel-flow, deny=false hits=912, user_data=0xb9eaadc, cs_id=0x15197e3dd7f0, reverse, flags=0x0, protocol=0 src ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside-goplc1(vrfid:0), output_ifc=any
Elapsed Time: 33280 ns

Phase 15
ID: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151974e57be0, priority=0, domain=nat-per-session, deny=false hits=79536257, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2048 ns

Phase 16
ID: 16
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151976c8c5f0, priority=0, domain=inspect-ip-options, deny=true hits=11711493, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside-goplc1(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 17
ID: 17
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 200408611, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_snortsnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_encryptsnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_ipsec_tunnel_flowsnp_fp_tcp_normalizersnp_fp_translatesnp_fp_snortsnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 18432 ns

Phase 18
ID: 18
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 45056 ns

Phase 19
ID: 19
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: (0), client: (0), payload: (0), misc: (0)
Elapsed Time: 14700 ns

Phase 20
ID: 20
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 2, Rule ID 268435623
Additional Information: Starting rule matching, zone 1 -> 5, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xffMatched rule ids 268435623 - Allow
Elapsed Time: 239154 ns

Result
Input Interface: ic-dmz-vps(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: outside-goplc1(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 451997 ns

0 Helpful

MHM Cisco World
VIP
VIP
In response to bristi

‎12-16-2023 01:28 PM

There is PBR that direct your traffic to outside-goplc1?

is this interface what you use for s2s?

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2023 01:26 AM

Yes, sir, that is indeed the interface utilized for the IPSEC tunnel. The 10.10.216.0/28 DMZ originates from this external interface. There is a Policy-Based Routing (PBR) in place to facilitate the passage of this traffic, along with a dynamic NAT.

0 Helpful

MHM Cisco World
VIP
VIP
In response to bristi

‎12-17-2023 02:58 AM

1-In advanced troubleshooting-> edit add capture (capture the ipsec traffic)

Note:- make the trace count 2

2- advanced troubleshooting-> capture w/trace 

Share the output you get

3- show vpndbsession l2l 

Check if ipsec useing 4500 as port or not' 4500 meaning the IPsec NAT-T is ok

4- check if modem open port 4500

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2023 05:40 AM

1. Trace Count 2 - Done (See Below)

2. Where is the advanced capture trace in FMC?

3. show vpndbsession l2l - Done (See Below)

4. Port 4500 on modem is opened

---------------------------------------------------------------------------------------------------------------

Trace Count 2

---------------------------------------------------------------------------------------------------------------

7 packets captured

1: 13:29:58.466040 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
2: 13:29:58.466116 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 8960 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 8960 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
Found flow with id 203715875, using existing flow

Phase: 4
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 20992 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 5
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 5754 ns
Config:
Additional Information:
service: ICMP(3501), client: (0), payload: (0), misc: (0)

Phase: 6
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 46386 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268435623
Additional Information:
Starting rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Matched rule ids 268435623 - Allow

Result:
input-interface: ic-dmz-vps(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 94124 ns


3: 13:29:59.490209 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
4: 13:29:59.490300 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 9216 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 9216 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found flow with id 203716025, using existing flow

Phase: 4
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 15872 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 5
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 5920 ns
Config:
Additional Information:
service: ICMP(3501), client: (0), payload: (0), misc: (0)

Phase: 6
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 48648 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268435623
Additional Information:
Starting rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Matched rule ids 268435623 - Allow

Result:
input-interface: ic-dmz-vps(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 91432 ns


5: 13:29:59.963634 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo request
6: 13:30:00.514148 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
7: 13:30:00.514240 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
7 packets shown

---------------------------------------------------------------------------------------------------------------

Show vpn-sessiondb detail l2l 

---------------------------------------------------------------------------------------------------------------

Connection : 195.158.86.175
Index : 192062 IP Addr : 195.158.86.175
Protocol : IKEv2 IPsecOverNatT
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA256
Bytes Tx : 65208 Bytes Rx : 81240
Login Time : 13:23:23 UTC Sun Dec 17 2023
Duration : 0h:11m:34s
Tunnel Zone : 0

0 Helpful

MHM Cisco World
VIP
VIP
In response to bristi

‎12-17-2023 07:27 AM

all config is correct there is nothing I can see wrong 
but dont use bidirectional type let check it also 
the forti must use same SPI as FPR 

dec: spi=8e3faaa1 esp=aes key=32 8d96bdf6bd394779a9049923ec95ba5ec31ff148eaf4ae93f4d49636d47c39a6
ah=sha256 key=32 fac1966f56b065a08456e5ff0ff6869676728eb0589df65ea417a4811532ee71
enc: spi=0719df97 esp=aes key=32 5f8e16550d144f87eef61b5a7128311e00a197cadf5d0d839d2300fc6d791465
ah=sha256 key=32 4e6bcac979645cd39cff10676468912378773c8edc5cda02b40aa890b523c4e9

can you make double check if both side use same SPI or not 
thanks 

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2023 10:04 AM

On the FTD is not "Bidirectional" it's "Originate only", this is the only service that initiate the tunnel to become active.

But I have different SPI's

---------------------------------------------------------------------------------------------------------------

Fortigate 

---------------------------------------------------------------------------------------------------------------

name: 'Headoffice'
auto-negotiate: disable
mode: tunnel
src: 0:10.11.20.0/255.255.255.0:0
dst: 0:10.10.216.0/255.255.255.240:0
SA
lifetime/rekey: 28800/11923
mtu: 1422
tx-esp-seq: 39c4
replay: disabled
qat: 0
inbound
spi: 8e3fabe9
enc: aes-cb 385c68a28087db3870b8fe5af87cb2f984b551ec17db610da7bad64713f733f7
auth: sha256 cd15def4bbe4dc983acd896cfef44f36b7b41799e52647babcf7b14f8cce8ea2
outbound
spi: 08d85c14
enc: aes-cb 47bbcfdbb6e004683ea367274f12641a39a63cf2530dbdc7aa2eb32085d68e5f
auth: sha256 2e7eec8256e3c8ef6db36847f42a44948c3190eb701f8b1913903c6fe98a4410
NPU acceleration: none

0 Helpful

MHM Cisco World
VIP
VIP
In response to bristi

‎12-17-2023 10:11 AM

outbound
spi: 08d85c14

the outbound spi of forti is decap of ftd' are it same ?

For Inbound of forti it can be different and if that correct then this is issue here

MHM

0 Helpful

bristi
Level 1
Level 1
In response to MHM Cisco World

‎12-17-2023 10:20 AM

Sorry, they are the same, I checked on the TFD as well..

--------------------------------------------------------------------------------------------------------------

FTD

--------------------------------------------------------------------------------------------------------------

local crypto endpt.: 10.11.255.5/4500, remote crypto endpt.: 195.158.86.175/4500
path mtu 1452, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 8E3FABE9
current inbound spi : 08D85C14

--------------------------------------------------------------------------------------------------------------

FORITGATE

--------------------------------------------------------------------------------------------------------------

spi: 8e3fabe9
enc: aes-cb 385c68a28087db3870b8fe5af87cb2f984b551ec17db610da7bad64713f733f7
auth: sha256 cd15def4bbe4dc983acd896cfef44f36b7b41799e52647babcf7b14f8cce8ea2
outbound
spi: 08d85c14
enc: aes-cb 47bbcfdbb6e004683ea367274f12641a39a63cf2530dbdc7aa2eb32085d68e5f
auth: sha256 2e7eec8256e3c8ef6db36847f42a44948c3190eb701f8b1913903c6fe98a4410

Customers Also Viewed These Support Documents