FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
naveenk
Staff
Staff
Article Id 189648

Description


This article discusses the 'SA is not ready yet, drop' message.

 

Scope

 

FortiGate.

Solution


In IPsec site-to-site VPN, communication is not happening.

The below debug can appear:

 

id=20085 trace_id=505 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
id=20085 trace_id=506 func=print_pkt_detail line=5282 msg="vd-root received a packet(proto=17, 10.56.103.254:50221->10.191.96.4:33450) from Nexus link. "
id=20085 trace_id=506 func=init_ip_session_common line=5441 msg="allocate a new session-c4241ca3"
id=20085 trace_id=506 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.191.96.4 via IDBHQ_Azure-1"
id=20085 trace_id=506 func=fw_forward_handler line=737 msg="Allowed by Policy-1939:"
id=20085 trace_id=506 func=ids_receive line=269 msg="send to ips"
id=20085 trace_id=506 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-IDBHQ_Azure-1"
id=20085 trace_id=506 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"


'SA is not ready yet, drop' means that the SA (Security Association) for this phase2 itself is not up currently.


Check the phase 2 configuration on both sides and make sure that the phase2 selectors are the same.


For example 'Auto Negotiate' settings are similar on both sites.

 

If multiple phase2 bound is used to the same phase1, and there are overlapping phase2 subnets, notice this error in the debug flow trace. For instance:

 

proxyid=traffic1

src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0

proxyid=traffic2

src: 192.168.10.0/24
dst: 10.0.0.0/16

 

As shown in the preceding example, proxyid=traffic1 overshadows proxyid=traffic2, causing confusion about which setting to use to send traffic.

 

Also, it is possible to take the IKE to debug and check the behavior:

 

diagnose vpn ike log-filter dst-addr4 x.x.x.x <----- Where x.x.x.x is the remote gateway I. 

diag debug app ike -1

diagnose debug console timestamp enable

diagnose debug enable

 

Note:

Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

After 5-10sec, disable the logs by executing:

 

diagnose debug disable