Re: VPN ASA and Fortinet

Ronnie Billate · ‎09-04-2019

Hi Everyone,

We're having trouble troubleshooting the site to site with Fortinet and ASA. Our firewall is ASA ASA5525.
Few days ago we observed that the tunnel very often to went down, even we refreshed the tunnel it won't bring up.
And we need to initiate a traffic behind of our firewall ASA to lan (Tx Increment while Rx doens't increment) to behind of fortinet, after it a few seconds the tunnel will goes up.

As follows is our phase 1 policy

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

Questions :

I would like to understand why the tunnel always went down and we need to initiate a traffic behind us? and
We don't see any problem with other site to site.

(Tx Increment while Rx doens't increment) As we initiate we're sending traffic that's why Tx incremented and why we're not receiving it? the fortinet doesn't responding to us? (that's why the Rx doesn't incrementing) and after the initiating from us ASA proposed a policy 1 the tunnel will goes up again?

Regards,
Ron

Mohammed al Baqari · ‎09-04-2019

Check that your ACLs are mirrored between fortinet and asa. Seems that the
mask of one side is larger than the other.

Also, check the timers at both end (lifetime and ide) and SA timers to
match.

***** remember to rate useful posts

Ronnie Billate · ‎09-04-2019

I have check the ACL both ends were the same.

The life is the below right ?

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

how can i see the idle time?