12-16-2023 06:52 AM
We have Cisco FTD 1150 and I have established a site-to-site tunnel with a FortiGate device. FTD is situated behind (NAT) through an Internet Service Provider (ISP) modem, resulting in a private IP configuration. Despite configuring the connection type as 'Originate Only' instead of bidirectional, I encountered issues with traffic passing through the tunnel. I have tried various solutions, including enabling NAT-Traversal, but the problem persists. Upon analyzing the debug logs, I noticed that the FTD shows both encapsulation and decapsulation counters, while the FortiGate only displays encapsulation counters without any corresponding decapsulation counters. I am seeking assistance in troubleshooting this matter, as it has become a source of frustration for me. Please advise on the information you need from my end to further investigate and resolve this issue. Cisco TAC kept insisting that issue is coming from ISP. Sorry I had to hide the public IP's and replace with x.x.x.x
From FTD
> show crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: CSM_outside-goplc1_map, seq num: 2, local addr: 10.11.255.5
access-list 10.10.216.0-interesting-traffic extended permit ip 10.10.216.0 255.255.255.240 10.11.20.0 255.255.255.0 log
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.10.216.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.11.20.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 7935, #pkts encrypt: 7935, #pkts digest: 7935
#pkts decaps: 6696, #pkts decrypt: 6696, #pkts verify: 6696
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7935, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
From Fortigate
diagnose vpn tunnel list name Headoffice
list ipsec tunnel by names in vd 0
------------------------------------------------------
proxyid_num=1 child_num=0 refcnt=6 ilast=1 olast=0 ad=/0
stat: rxp=0 txp=28837 rxb=0 txb=2420988
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1362
natt: mode=keepalive draft=0 interval=10 remote_port=4500
fec: egress=0 ingress=0
proxyid=Headoffice proto=0 sa=1 ref=3 serial=2
src: 0:10.11.20.0-10.11.20.255:0
dst: 0:10.10.216.0-10.10.216.15:0
SA: ref=3 options=10024 type=00 soft=0 mtu=1422 expire=20765/0B replaywin=0
seqno=1d88 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=28503/28800
dec: spi=8e3faaa1 esp=aes key=32 8d96bdf6bd394779a9049923ec95ba5ec31ff148eaf4ae93f4d49636d47c39a6
ah=sha256 key=32 fac1966f56b065a08456e5ff0ff6869676728eb0589df65ea417a4811532ee71
enc: spi=0719df97 esp=aes key=32 5f8e16550d144f87eef61b5a7128311e00a197cadf5d0d839d2300fc6d791465
ah=sha256 key=32 4e6bcac979645cd39cff10676468912378773c8edc5cda02b40aa890b523c4e9
dec:pkts/bytes=0/0, enc:pkts/bytes=15118/1874352
npu_flag=00 npu_rgwy=x.x.x.x npu_lgwy=195.158.86.175 npu_selid=e dec_npuid=0 enc_npuid=0
run_tally=0
12-16-2023 09:37 AM
Ping from LAN to LAN with at least 100 ping count
Then check the encap increase with this number ?
MHM
12-16-2023 11:13 AM
I attempted that, and the only aspect that isn't showing an increase is the decapsulation on the FortiGate. However, the issue is certainly not originating from the FortiGate
12-16-2023 11:32 AM
Can you share packet tracer of this s2s vpn (please add detail to your packet tracer)
MHM
12-16-2023 11:52 AM
Alright, so you're asking me to ping from a host located behind the FTD to another host situated behind the FortiGate using FTD packet tracer, correct?
12-16-2023 12:15 PM
Dont use ping use tcp traffic in packet tracer
MHM
12-16-2023 12:51 PM
I'm not sure if this is you're after, see below, it is allowed There is an option in FTD packet tracer called - Treat the simulated packet as an IPsec/SSL VPN decrypted packet. Shall I use it?
Packet Tracer TCP
Interface: Ethernet1/11.216
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: 10.10.216.5
Source Port: ssh
Source SPI:
Destination Type: IPv4
Destination IP value: 10.11.20.51
Destination port: ssh
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: IC-FTD02
Run trace on all cluster members: false
Device details
Name: IC-FTD02
ID: 5322b646-feb8-11ed-b585-fec3381dfb76
Type: Device
Phase 1
ID: 1
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information: Input route lookup returned ifc outside-melita1 is not same as existing ifc outside-goplc1Doing adjacency lookup on existing ifc outside-goplc1
Elapsed Time: 52736 ns
Phase 2
ID: 2
Type: ECMP load balancing
Result: ALLOW
Config:
Additional Information: ECMP load balancingFound next-hop 10.11.255.6 using egress ifc outside-goplc1(vrfid:0)
Elapsed Time: 3072 ns
Phase 3
ID: 3
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config: route-map FMC_GENERATED_PBR_1699202772888 permit 5 match ip address ic-dmz-vps-outbound set interface outside-goplc1 outside-melita1
Additional Information: Matched route-map FMC_GENERATED_PBR_1699202772888, sequence 5, permit Found next-hop 10.11.255.6 using egress ifc outside-goplc1
Elapsed Time: 512 ns
Phase 4
ID: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: NAT divert to egress interface outside-goplc1(vrfid:0)Untranslate 10.11.20.51/22 to 10.11.20.51/22
Elapsed Time: 3072 ns
Phase 5
ID: 5
Type: OBJECT_GROUP_SEARCH
Result: ALLOW
Config:
Additional Information: Source Object Group Match Count: 4 Destination Object Group Match Count: 3 Object Group Search: 12
Elapsed Time: 0 ns
Phase 6
ID: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip any any rule-id 268435456 access-list CSM_FW_ACL_ remark rule-id 268435456: ACCESS POLICY: IC-Security-Policy - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268435456: L7 RULE: [WAN] Block Bad URLs
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x1519782cdcb0, priority=12, domain=permit, deny=false hits=16177306, user_data=0x15195f9bbe40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any,, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 307 ns
Phase 7
ID: 7
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x15197c398330, priority=7, domain=conn-set, deny=false hits=2998329, user_data=0x15197adacf40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 307 ns
Phase 8
ID: 8
Type: NAT
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: Static translate 10.10.216.5/22 to 10.10.216.5/22 Forward Flow based lookup yields rule: in id=0x15197a80fef0, priority=6, domain=nat, deny=false hits=5100, user_data=0x15197d6aa880, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=outside-goplc1(vrfid:0)
Elapsed Time: 307 ns
Phase 9
ID: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x151974e57be0, priority=0, domain=nat-per-session, deny=false hits=79536255, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 307 ns
Phase 10
ID: 10
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x15197d712dc0, priority=0, domain=inspect-ip-options, deny=true hits=4525844, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 307 ns
Phase 11
ID: 11
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x151979ad18b0, priority=20, domain=lu, deny=false hits=164962, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=any
Elapsed Time: 24064 ns
Phase 12
ID: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: out id=0x1519782db330, priority=70, domain=encrypt, deny=false hits=913, user_data=0xb9e8944, cs_id=0x15197e3dd7f0, reverse, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any(vrfid:65535), output_ifc=outside-goplc1
Elapsed Time: 11264 ns
Phase 13
ID: 13
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (ic-dmz-vps,outside-goplc1) source static ic-dmz-vps-subnet ic-dmz-vps-subnet destination static ic-gaming-subnet ic-gaming-subnet no-proxy-arp route-lookup
Additional Information: Forward Flow based lookup yields rule: out id=0x15197fa4e2f0, priority=6, domain=nat-reverse, deny=false hits=5101, user_data=0x15197ceb6ee0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any dst ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=ic-dmz-vps(vrfid:0), output_ifc=outside-goplc1(vrfid:0)
Elapsed Time: 2560 ns
Phase 14
ID: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151978399960, priority=70, domain=ipsec-tunnel-flow, deny=false hits=912, user_data=0xb9eaadc, cs_id=0x15197e3dd7f0, reverse, flags=0x0, protocol=0 src ip/id=10.11.20.0, mask=255.255.255.0, port=0, tag=any dst ip/id=10.10.216.0, mask=255.255.255.240, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside-goplc1(vrfid:0), output_ifc=any
Elapsed Time: 33280 ns
Phase 15
ID: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151974e57be0, priority=0, domain=nat-per-session, deny=false hits=79536257, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2048 ns
Phase 16
ID: 16
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x151976c8c5f0, priority=0, domain=inspect-ip-options, deny=true hits=11711493, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=outside-goplc1(vrfid:0), output_ifc=any
Elapsed Time: 512 ns
Phase 17
ID: 17
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 200408611, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_snortsnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_encryptsnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_ipsec_tunnel_flowsnp_fp_tcp_normalizersnp_fp_translatesnp_fp_snortsnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 18432 ns
Phase 18
ID: 18
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 45056 ns
Phase 19
ID: 19
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: (0), client: (0), payload: (0), misc: (0)
Elapsed Time: 14700 ns
Phase 20
ID: 20
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 2, Rule ID 268435623
Additional Information: Starting rule matching, zone 1 -> 5, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xffMatched rule ids 268435623 - Allow
Elapsed Time: 239154 ns
Result
Input Interface: ic-dmz-vps(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: outside-goplc1(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 451997 ns
12-16-2023 01:28 PM
There is PBR that direct your traffic to outside-goplc1?
is this interface what you use for s2s?
MHM
12-17-2023 01:26 AM
Yes, sir, that is indeed the interface utilized for the IPSEC tunnel. The 10.10.216.0/28 DMZ originates from this external interface. There is a Policy-Based Routing (PBR) in place to facilitate the passage of this traffic, along with a dynamic NAT.
12-17-2023 02:58 AM
1-In advanced troubleshooting-> edit add capture (capture the ipsec traffic)
Note:- make the trace count 2
2- advanced troubleshooting-> capture w/trace
Share the output you get
3- show vpndbsession l2l
Check if ipsec useing 4500 as port or not' 4500 meaning the IPsec NAT-T is ok
4- check if modem open port 4500
MHM
12-17-2023 05:40 AM
1. Trace Count 2 - Done (See Below)
2. Where is the advanced capture trace in FMC?
3. show vpndbsession l2l - Done (See Below)
4. Port 4500 on modem is opened
---------------------------------------------------------------------------------------------------------------
Trace Count 2
---------------------------------------------------------------------------------------------------------------
7 packets captured
1: 13:29:58.466040 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
2: 13:29:58.466116 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 8960 ns
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 8960 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
Found flow with id 203715875, using existing flow
Phase: 4
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 20992 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 5
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 5754 ns
Config:
Additional Information:
service: ICMP(3501), client: (0), payload: (0), misc: (0)
Phase: 6
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 46386 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268435623
Additional Information:
Starting rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Matched rule ids 268435623 - Allow
Result:
input-interface: ic-dmz-vps(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 94124 ns
3: 13:29:59.490209 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
4: 13:29:59.490300 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 9216 ns
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 9216 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found flow with id 203716025, using existing flow
Phase: 4
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 15872 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 5
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 5920 ns
Config:
Additional Information:
service: ICMP(3501), client: (0), payload: (0), misc: (0)
Phase: 6
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 48648 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268435623
Additional Information:
Starting rule matching, zone 5 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Matched rule ids 268435623 - Allow
Result:
input-interface: ic-dmz-vps(vrfid:0)
input-status: up
input-line-status: up
Action: allow
Time Taken: 91432 ns
5: 13:29:59.963634 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo request
6: 13:30:00.514148 802.1Q vlan#216 P0 10.11.20.51 > 10.10.216.5 icmp: echo request
7: 13:30:00.514240 802.1Q vlan#216 P0 10.10.216.5 > 10.11.20.51 icmp: echo reply
7 packets shown
---------------------------------------------------------------------------------------------------------------
Show vpn-sessiondb detail l2l
---------------------------------------------------------------------------------------------------------------
Connection : 195.158.86.175
Index : 192062 IP Addr : 195.158.86.175
Protocol : IKEv2 IPsecOverNatT
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA256
Bytes Tx : 65208 Bytes Rx : 81240
Login Time : 13:23:23 UTC Sun Dec 17 2023
Duration : 0h:11m:34s
Tunnel Zone : 0
12-17-2023 07:27 AM
all config is correct there is nothing I can see wrong
but dont use bidirectional type let check it also
the forti must use same SPI as FPR
dec: spi=8e3faaa1 esp=aes key=32 8d96bdf6bd394779a9049923ec95ba5ec31ff148eaf4ae93f4d49636d47c39a6
ah=sha256 key=32 fac1966f56b065a08456e5ff0ff6869676728eb0589df65ea417a4811532ee71
enc: spi=0719df97 esp=aes key=32 5f8e16550d144f87eef61b5a7128311e00a197cadf5d0d839d2300fc6d791465
ah=sha256 key=32 4e6bcac979645cd39cff10676468912378773c8edc5cda02b40aa890b523c4e9
can you make double check if both side use same SPI or not
thanks
MHM
12-17-2023 10:04 AM
On the FTD is not "Bidirectional" it's "Originate only", this is the only service that initiate the tunnel to become active.
But I have different SPI's
---------------------------------------------------------------------------------------------------------------
Fortigate
---------------------------------------------------------------------------------------------------------------
name: 'Headoffice'
auto-negotiate: disable
mode: tunnel
src: 0:10.11.20.0/255.255.255.0:0
dst: 0:10.10.216.0/255.255.255.240:0
SA
lifetime/rekey: 28800/11923
mtu: 1422
tx-esp-seq: 39c4
replay: disabled
qat: 0
inbound
spi: 8e3fabe9
enc: aes-cb 385c68a28087db3870b8fe5af87cb2f984b551ec17db610da7bad64713f733f7
auth: sha256 cd15def4bbe4dc983acd896cfef44f36b7b41799e52647babcf7b14f8cce8ea2
outbound
spi: 08d85c14
enc: aes-cb 47bbcfdbb6e004683ea367274f12641a39a63cf2530dbdc7aa2eb32085d68e5f
auth: sha256 2e7eec8256e3c8ef6db36847f42a44948c3190eb701f8b1913903c6fe98a4410
NPU acceleration: none
12-17-2023 10:11 AM
outbound
spi: 08d85c14
the outbound spi of forti is decap of ftd' are it same ?
For Inbound of forti it can be different and if that correct then this is issue here
MHM
12-17-2023 10:20 AM
Sorry, they are the same, I checked on the TFD as well..
--------------------------------------------------------------------------------------------------------------
FTD
--------------------------------------------------------------------------------------------------------------
local crypto endpt.: 10.11.255.5/4500, remote crypto endpt.: 195.158.86.175/4500
path mtu 1452, ipsec overhead 86(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 8E3FABE9
current inbound spi : 08D85C14
--------------------------------------------------------------------------------------------------------------
FORITGATE
--------------------------------------------------------------------------------------------------------------
spi: 8e3fabe9
enc: aes-cb 385c68a28087db3870b8fe5af87cb2f984b551ec17db610da7bad64713f733f7
auth: sha256 cd15def4bbe4dc983acd896cfef44f36b7b41799e52647babcf7b14f8cce8ea2
outbound
spi: 08d85c14
enc: aes-cb 47bbcfdbb6e004683ea367274f12641a39a63cf2530dbdc7aa2eb32085d68e5f
auth: sha256 2e7eec8256e3c8ef6db36847f42a44948c3190eb701f8b1913903c6fe98a4410
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide