Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pareenat
Staff
Staff

Created on ‎06-14-2012 09:33 PM

Article Id 191077

Technical Note : Error Message “Failed action on FGh_FtiLog1 ipsec.phase1 (action 3; ret -49)” when enable encrypted (IPSec) connection between a FortiGate and a FortiAnalyzer

Description

This article explains the error message “Failed action on FGh_FtiLog1 ipsec.phase1 (action 3; ret -49)” which may appear on the FortiGate console.


Scope

FortiOS all versions.


Solution
After an IPSec secure logging connection has been established between a FortiGate and FortiAnalyzer, the FortiGate creates an IPSec VPN connection with a dedicated reference name:

'FGH-FT:Log <n>'
(where n represents the reference of the FortiAnalyzer device)
To view this information on the CLI use the "diagnose vpn tunnel list" command as shown below:-
# diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=FGh_FtiLog1 ver=1 serial=2 0.0.0.0:0-><IP of Fortanalyzer>:0 lgwy=dyn tun=tunnel m
proxyid_num=1 child_num=0 refcnt=6 ilast=23 olast=23
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=FGh_FtiLog1 proto=0 sa=0 ref=1 auto_negotiate=0 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:<IP of Fortanalyzer>/255.255.255.255:0
However in some cases the following connection error messages may be displayed on the console of the FortiGate following an IPSec connection attempt with the FortiAnalyzer, as shown below:
hiddenentry.c:__cli_action_hidden_entry,116: action error with hidden entry -49
Failed action on FGh_FtiLog1 ipsec.phase1 (action 3; ret -49)
hiddenentry.c:__cli_action_hidden_entry,116: action error with hidden entry -1
Failed action on FGh_FtiLog1 ipsec.phase2 (action 3; ret -1)
This scenario may be linked to the settings configured within the 'system password-policy'. Some configuration items may have been forced to use IPSec pre-shared key settings.
 
To fix this issue connect to the CLI of the FortiGate and reconfigure the ( password-policy) settings as shown below:
# config system password-policy
(password-policy) # get
status : enable
apply-to : admin-password ipsec-preshared-key <<<
minimum-length : 8
(password-policy) # unset apply-to
(password-policy) # get
status : enable
apply-to : admin-password
minimum-length : 8
min-lower-case-letter: 0
min-upper-case-letter: 0
min-non-alphanumeric: 0
min-number : 0
change-4-characters : disable
expire-status : disable

Labels:
1205
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.