cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4313
Views
5
Helpful
8
Replies

VPN between Cisco ASA 8.4.2 and Fortigate Issue

Deepak Kumar
Advocate
Advocate

Hi Team,

I am facing an issue with VPN between Fortigate and Cisco ASA. I find that MSG2 massage is retrying again and again. But some time tunnel come up and will go down within some time 

Dec 17 17:42:50 [IKEv1 DEBUG]: IP = 94.200.25.154, constructing Fragmentation VID + extended capabilities payload
Dec 17 17:42:50 [IKEv1]: IP = 94.200.25.154, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:42:58 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:43:06 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Dec 17 17:43:14 [IKEv1]: IP = 94.200.25.154, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

 

 

Configuration as below:

access-list outside_1_cryptomap extended permit ip 10.10.60.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.100.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.6.0 255.255.255.0 10.1.1.0 255.255.255.0

!

!

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 94.x.x.x 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Outside_map 1 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!

!

!

tunnel-group 94.x.x.x type ipsec-l2l
tunnel-group 94.x.x.x ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!

----------------------------

And at another end (Fortigate site) I am getting following issue:

2017-12-17 04:48:10.655006 ike 0:Cario-ASA:8568: initiator: main mode is sending 1st message... >>>>Fortigate sending first msg

2017-12-17 04:48:23.798276 ike 0: comes 196.x.x.x:500->94.x,x,x:500,ifindex=7.... >>>Got second msg from cisco

2017-12-17 04:48:23.799401 ike 0:Cario-ASA:8569: sent IKE msg (ident_r1send): 94.x.x.x:500->196.x.x.x:500, len=188, id=a3a6f383fee4b5f7/370842f2674124db >>Accepted cisco's proposal and sending 3rd message

2017-12-17 04:48:28.675213 ike 0:Cario-ASA:8568: sent IKE msg (P1_RETRANSMIT): 94.x.x.x:500->196.x.x.x:500, len=288, id=14bf35f4aa8fe26d/0000000000000000

2017-12-17 04:48:29.805189 ike 0:Cario-ASA:8569: sent IKE msg (P1_RETRANSMIT): 94.x.x..x:500->196.x.x.x:500, len=188, id=a3a6f383fee4b5f7/370842f2674124db

2017-12-17 04:48:31.789685 ike 0:Cario-ASA:8569: retransmission, re-send last message

2017-12-17 04:48:40.674973 ike 0:Cario-ASA:8568: negotiation timeout, deleting

>Fortigate didn't receive reply from the remote end and hence sending Re-transmission messages.Then negotiation getting timedout and hence deleting the tunnel.

 

 

Please help me to troubleshoot the issue. 

 

Thanks,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
2 Accepted Solutions

Accepted Solutions

GioGonza
Enthusiast
Enthusiast

Hello @Deepak Kumar,

 

You need to check what is happening with the packets when you are trying to build the VPN tunnel, you need to place a capture on the outside in order to verify if the traffic is bidirectional. Probably you will ne to talk with your ISP and verify what is happening with the traffic. As per Shankar Mural, so far the ASA is not checking the PSK so don´t worry about it just yet. 

 

This is a link for reference: https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

 

HTH

Gio

View solution in original post

Deepak Kumar
Advocate
Advocate

Hi,

Thanks all for your suggestion and help me to found out the root cause. I found that traffic was dropped at ADSL modem (Cisco ASA site). We booked the call with ISP and they changed the modem. Now the issue is resolved. 

 

Regards,

Deepak Kumar

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

8 Replies 8

Shankar Murali
Beginner
Beginner

Please check whether Preshared key is configured correctly on both the ends. and also DH version is same on both the nodes.

 

-Shankar

Yes, It'ss same dear... Some time VPN will come up and it is working fine but after few minutes it will again down.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Shankar Murali
Beginner
Beginner
Please check whether Preshared key is configured correctly on both the ends. and also DH version is same on both the nodes.

-Shankar

GioGonza
Enthusiast
Enthusiast

Hello @Deepak Kumar,

 

You need to check what is happening with the packets when you are trying to build the VPN tunnel, you need to place a capture on the outside in order to verify if the traffic is bidirectional. Probably you will ne to talk with your ISP and verify what is happening with the traffic. As per Shankar Mural, so far the ASA is not checking the PSK so don´t worry about it just yet. 

 

This is a link for reference: https://www.tunnelsup.com/isakmp-ike-phase-1-status-messages/

 

HTH

Gio

Hi,

Thanks for your reply. My ASA is behind the NAT (ADSL Modem) and I port forwarded to ASA for IPSEC and tried to make it DMZ with all services. A few days ago, this VPN was working fine between Cisco ASA to ASA but at one location we replaced with FortiGate device. 

 

Thanks,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Deepak Kumar
Advocate
Advocate

Hi,

I found that when ASA is sending a packet on 4500 Port to FortiGate device then VPN will connect and working fine. But some time ASA will send packet on 500 Port than VPN will success. 

Please guide me how to force my ASA which is behind the NAT to send the packet on UDP 4500 port. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

You can't force it. ASA will detect NAT-T automatically during SA setup. If
ASA isn't sending on 4500 then no natting in taking place in the path

Deepak Kumar
Advocate
Advocate

Hi,

Thanks all for your suggestion and help me to found out the root cause. I found that traffic was dropped at ADSL modem (Cisco ASA site). We booked the call with ISP and they changed the modem. Now the issue is resolved. 

 

Regards,

Deepak Kumar

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: