Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7927
Views
0
Helpful
4
Replies

Issues with ASA to FortiGate site to site VPN

Go to solution
idratherbesurfing
Level 1
Level 1

‎02-12-2020 08:40 AM

I used this script to enable the VPN (2.2.2.2) on the ASA

 

access-list outside_cryptomap_1 line 1 extended permit ip 192.168.55.0 255.255.255.0 object object_name 
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev2 ikev1
exit
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
ikev2 remote-authentication pre-shared-key *********
isakmp keepalive threshold 10 retry 2
crypto map Outside_map 2 match address outside_cryptomap_1
crypto map Outside_map 2 set peer 1.1.1.1
crypto map Outside_map 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES
nat (inside,outside) 29 source static NETWORK_OBJ_192.168.55.0_24 NETWORK_OBJ_192.168.55.0_24 destination static object-name object-name no-proxy-arp route-lookup

 

I converted the FortiGate (1.1.1.1) to a custom tunnel to match IKE policies. I get the following from debug on FG

 


ike 0: IKEv1 exchange=Informational id=44b6517e286499bc/626b3f3907ed48bc:d60283a0 len=92
ike 0: in 44B6517E286499BC626B3F3907ED48BC08100501D60283A00000005CDCB5DAF5E814F47913ECA0EED466265CF73E88E5D99141D9A7EF88B6C1A8DAEB8ECAA6246EE9F2D46611D8C8492683FF976B357A69588DED29CC3739C947F783
ike 0:IMMtoCAB:33: dec 44B6517E286499BC626B3F3907ED48BC08100501D60283A00000005C0B00001880BE83C125C05A02533FA800865643AF0357CF78000000200000000101108D2844B6517E286499BC626B3F3907ED48BC7BC70BF60000000000000000
ike 0:IMMtoCAB:33: notify msg received: R-U-THERE
ike 0:IMMtoCAB:33: enc 44B6517E286499BC626B3F3907ED48BC08100501FEB1096E000000540B00001848767199159B516C97D9BB83A959702482744D87000000200000000101108D2944B6517E286499BC626B3F3907ED48BC7BC70BF6
ike 0:IMMtoCAB:33: out 44B6517E286499BC626B3F3907ED48BC08100501FEB1096E0000005C4F4469FC9506CEAE9A9AFE78C42406042819C6F19A8B38200898B9DDFFD61AB60FBAEEDEB02AEEDD2BFF2F906ADD28E59C6D3E6BAD2D81D0ED839586A875E287
ike 0:IMMtoCAB:33: sent IKE msg (R-U-THERE-ACK): 1.1.1.1->2.2.2.2:500, len=92, id=44b6517e286499bc/626b3f3907ed48bc:feb1096e

ike 0: IKEv1 exchange=Informational id=44b6517e286499bc/626b3f3907ed48bc:0e167505 len=92
ike 0: in 44B6517E286499BC626B3F3907ED48BC081005010E1675050000005C94FD30639CA487AE6A04A0CEC2361AEB34230C270EA5E46F10CB22B8E658E1757BF9B20861C097D3D6F42E59B0D80560FD8C2CB558A9B7B96EA781A639C8B42D
ike 0:IMMtoCAB:33: dec 44B6517E286499BC626B3F3907ED48BC081005010E1675050000005C0B0000180CE87A437A13C830711E4871DAB6FCBCA93B2422000000200000000101108D2844B6517E286499BC626B3F3907ED48BC7BC70BF70000000000000000
ike 0:IMMtoCAB:33: notify msg received: R-U-THERE
ike 0:IMMtoCAB:33: enc 44B6517E286499BC626B3F3907ED48BC081005019719ADDC000000540B000018D013BF129BC7102AE1875EFC335B85AB58F33D52000000200000000101108D2944B6517E286499BC626B3F3907ED48BC7BC70BF7
ike 0:IMMtoCAB:33: out 44B6517E286499BC626B3F3907ED48BC081005019719ADDC0000005C1AE43F52CD7E0B88A745EC53F2F463484290FB25CEE2F8C3E0A1240D9BDCE0E35E48C84369861E4C952869907DE578CF319A463ED78A44602BBC365FFEED3DD1
ike 0:IMMtoCAB:33: sent IKE msg (R-U-THERE-ACK): 1.1.1.1->2.2.2.2:500, len=92, id=44b6517e286499bc/626b3f3907ed48bc:9719addc

 

 

And this from the ASA debug

 

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f50d7d440a0, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f50d7f8ee90, reverse, flags=0x0, protocol=0
src ip/id=192.168.55.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.50.200.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside


Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005619cb70444a flow (need-ike)/snp_sp_action_cb:1575

 

I get it says it's an ACL but I am not sure which one is blocking or needs to be added..

Relevant ACL's

 

access-list outside_cryptomap extended permit ip 192.168.55.0 255.255.255.0 object object-name
access-list outside_cryptomap_1 extended permit ip 192.168.55.0 255.255.255.0 object object-name

 

Let me know what other info I can provide

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
idratherbesurfing
Level 1
Level 1
In response to Rob Ingram

‎02-12-2020 11:27 AM

A few issues I uncovered

 

-incorrect source interfaces for nat statements on the ASA

-incomplete access-lists on ASA

-mismatched P1 settings incorrect

 

VPN tunnel is up

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-12-2020 08:53 AM

Hi,
That debug looks like a DPD (Dead Peer Detection) message. Have the IKE and IPSec SA actually been established?
What is the output of "show crypto ikev1 sa" and "show ipsec sa"?
Please confirm the firewalls can ping each other's outside interface?
Please confirm the the local and remote networks defined on the ASA and the Fortinet match exactly?

What is the rest of your packet-tracer output? A common issue is traffic is unintentially NATTED, in this instance you'd need a NAT exemption rule. Please provide the output of "show nat detail".

HTH
0 Helpful

Go to solution
idratherbesurfing
Level 1
Level 1
In response to Rob Ingram

‎02-12-2020 09:29 AM

Tunnel is now up the P1 settings were mismatched but traffic is not flowing

 

29 (inside) to (outside) source static NETWORK_OBJ_192.168.55.0_24 NETWORK_OBJ_192.168.55.0_24 destination static IMM-DC IMM-DC no-proxy-arp route-lookup
translate_hits = 3, untranslate_hits = 3
Source - Origin: 192.168.55.0/24, Translated: 192.168.55.0/24
Destination - Origin: 10.50.200.0/24, Translated: 10.50.200.0/24

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to idratherbesurfing

‎02-12-2020 09:36 AM

So I assume the "show crypto ipsec sa" would confirm "encaps" counters increasing but no "decaps"?? if so then that would imply traffic outbound was encrypted and sent but not received...you'd then need to check the fortinet configuration. Provide screenshots.
0 Helpful

Go to solution
idratherbesurfing
Level 1
Level 1
In response to Rob Ingram

‎02-12-2020 11:27 AM

A few issues I uncovered

 

-incorrect source interfaces for nat statements on the ASA

-incomplete access-lists on ASA

-mismatched P1 settings incorrect

 

VPN tunnel is up

0 Helpful
Customers Also Viewed These Support Documents