12-24-2017 07:39 AM - edited 03-12-2019 04:51 AM
Hi Team,
I am facing an issue with VPN between Fortigate and Cisco ASA. I find that MSG2 massage is retrying again and again. But some time tunnel come up and will go down within some time
Dec 17 17:42:50 [IKEv1 DEBUG]: IP = 94.200.25.154, constructing Fragmentation VID + extended capabilities payload
Dec 17 17:42:50 [IKEv1]: IP = 94.200.25.154, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:42:58 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:43:06 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:43:14 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Configuration as below:
access-list outside_1_cryptomap extended permit ip 10.10.60.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.100.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.6.0 255.255.255.0 10.1.1.0 255.255.255.0
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 94.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Outside_map 1 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
!
tunnel-group 94.x.x.x type ipsec-l2l
tunnel-group 94.x.x.x ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
----------------------------
And at another end (Fortigate site) I am getting following issue:
2017-12-17 04:48:10.655006 ike 0:Cario-ASA:8568: initiator: main mode is sending 1st message... >>>>Fortigate sending first msg
2017-12-17 04:48:23.798276 ike 0: comes 196.x.x.x:500->94.x,x,x:500,ifindex=7.... >>>Got second msg from cisco
2017-12-17 04:48:23.799401 ike 0:Cario-ASA:8569: sent IKE msg (ident_r1send): 94.x.x.x:500->196.x.x.x:500, len=188, id=a3a6f383fee4b5f7/370842f2674124db >>Accepted cisco's proposal and sending 3rd message
2017-12-17 04:48:28.675213 ike 0:Cario-ASA:8568: sent IKE msg (P1_RETRANSMIT): 94.x.x.x:500->196.x.x.x:500, len=288, id=14bf35f4aa8fe26d/0000000000000000
2017-12-17 04:48:29.805189 ike 0:Cario-ASA:8569: sent IKE msg (P1_RETRANSMIT): 94.x.x..x:500->196.x.x.x:500, len=188, id=a3a6f383fee4b5f7/370842f2674124db
2017-12-17 04:48:31.789685 ike 0:Cario-ASA:8569: retransmission, re-send last message
2017-12-17 04:48:40.674973 ike 0:Cario-ASA:8568: negotiation timeout, deleting
>Fortigate didn't receive reply from the remote end and hence sending Re-transmission messages.Then negotiation getting timedout and hence deleting the tunnel.
Please help me to troubleshoot the issue.
Thanks,
Deepak Kumar
Solved! Go to Solution.
12-26-2017 05:30 AM
Hello @Deepak Kumar,
You need to check what is happening with the packets when you are trying to build the VPN tunnel, you need to place a capture on the outside in order to verify if the traffic is bidirectional. Probably you will ne to talk with your ISP and verify what is happening with the traffic. As per Shankar Mural, so far the ASA is not checking the PSK so don´t worry about it just yet.
This is a link for reference: https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/
HTH
Gio
03-26-2018 06:38 AM
Hi,
Thanks all for your suggestion and help me to found out the root cause. I found that traffic was dropped at ADSL modem (Cisco ASA site). We booked the call with ISP and they changed the modem. Now the issue is resolved.
Regards,
Deepak Kumar
12-26-2017 02:21 AM
Please check whether Preshared key is configured correctly on both the ends. and also DH version is same on both the nodes.
-Shankar
12-26-2017 06:43 PM
Yes, It'ss same dear... Some time VPN will come up and it is working fine but after few minutes it will again down.
12-26-2017 02:22 AM
12-26-2017 05:30 AM
Hello @Deepak Kumar,
You need to check what is happening with the packets when you are trying to build the VPN tunnel, you need to place a capture on the outside in order to verify if the traffic is bidirectional. Probably you will ne to talk with your ISP and verify what is happening with the traffic. As per Shankar Mural, so far the ASA is not checking the PSK so don´t worry about it just yet.
This is a link for reference: https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/
HTH
Gio
12-26-2017 06:37 PM
Hi,
Thanks for your reply. My ASA is behind the NAT (ADSL Modem) and I port forwarded to ASA for IPSEC and tried to make it DMZ with all services. A few days ago, this VPN was working fine between Cisco ASA to ASA but at one location we replaced with FortiGate device.
Thanks,
Deepak Kumar
01-27-2018 07:35 AM
Hi,
I found that when ASA is sending a packet on 4500 Port to FortiGate device then VPN will connect and working fine. But some time ASA will send packet on 500 Port than VPN will success.
Please guide me how to force my ASA which is behind the NAT to send the packet on UDP 4500 port.
Regards,
Deepak Kumar
01-27-2018 10:25 PM
03-26-2018 06:38 AM
Hi,
Thanks all for your suggestion and help me to found out the root cause. I found that traffic was dropped at ADSL modem (Cisco ASA site). We booked the call with ISP and they changed the modem. Now the issue is resolved.
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide