Troubleshooting Tip: ADVPN shortcut cannot be created and the forward shortcut-query shows as '0000000000000000'

ssteo · ‎08-21-2023

Description

This article explains an error where an ADVPN shortcut cannot be created. During this issue, the forward shortcut-query shows as '0000000000000000' when queried.

Scope

FortiGate, ADVPN.

Solution

Run the following command on the HUB firewall and look for a 'forward shortcut-query' message:

diag debug application ike 255

Example output:

ike 0:hub_0: forward shortcut-query 7737275851179552936 8b618dd41664ac10/0000000000000000 10.47.19.157 10.10.1.4->10.73.3.154 0 psk 64 ppk 0 ttl 31 ver 1 mode 0, ext-mapping 10.47.19.157:0, network-id 0

If '0000000000000000' is seen inside the message, it may indicate that NAT was enabled in the hub-to-hub firewall policy.

hub firewall policy.png

Disable NAT in the hub-to-hub firewall policy. This will likely resolve the issue.
After, search for the 'forward shortcut-query' message again. The value should be alphanumeric (instead of purely numeric, as seen previously). For example:

ike 0:hub_1: forward shortcut-reply 7737275851179552936 8b618dd41664ac10/d862906fe1bdc2d3 10.47.19.154 to 10.10.1.4 0 psk 64 ppk 0 ttl 31 ver 1 mode 0 ext-mapping 10.47.19.154:0

Verify in the spoke routing table that the shortcut was created successfully. For example:

No shortcut created:

before shortcut.png

Shortcut created:

after shortcut.png