Re: Site 2 Site Between Cisco FTD and Fortigate

dissai · ‎07-22-2024

Hello Technical Team,

I'm facing challenge with bring up tunnel between Cisco ftd and FortiGate firewall. Phase 1 is coming up on Cisco side but phase 2 is not coming up for unknown reason. All setting are correct between the firewall. Kindly assist.

Karsten Iwen · ‎07-22-2024

If everything would be correct, it likely would work ...

Start with debugging the IKE connection to the Fortigate. Likely the debug will show the problem:

> debug crypto condition peer IP-OF-PEER
! enable ikev1 or ikev2 depending on what you use
> debug crypto ikev1 100
> debug crypto ikev2 protocol 100
> system support diagnostic-cli

Sheraz.Salim · ‎07-22-2024

can you put the debug on your FTD and on the fortigate in order to get this issue fixed. On FTD login into ssh and give these commands.I assume you running ikev2.

debug crypto condition peer x.x.x.x
debug crypto ikev2
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
!
capture IKE type ikev2 interface outside
(OR)
capture VPN type isakmp interface outside match ip host x.x.x.x host y.y.y.y
!
copy /pcap capture:IKE tftp://<TFTP SERVER IP>

also share your firewall vpn configurations.

Side Note. If you do not know how to login to CLISH mode on FTD Here Is your FTD is Managed by FMC or its an Standalone appliance?

As you Phase 2 not coming up here are some reference documents Phase2

also can you do a packer tracer from your firewall FTD local source network and destination remote network and show the output.

please do not forget to rate.

MHM Cisco World · ‎07-22-2024

Share

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

MHM