Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ccho
Staff
Staff

Created on ‎01-09-2023 10:10 PM Edited on ‎01-09-2023 10:16 PM By Community Manager

Article Id 242428

Troubleshooting Tip: IPSEC VPN failure due to one way IKE (UDP 500) communication.

Description

This article describes that it is possible to  encounter a situation where the IPSEC VPN tunnels do not form due to one-way IKE negotiation traffic.

 

This article can be applicable under any circumstances where IKE (UDP 500) delivery is not working between Gateways.


The problematic behavior is identifiable through running the packet capture as well as IKE debugs.


Gateway 1.

On this gateway, it is possible to see bi-directional IKE traffic.


bi-directional IKE.PNG

Gateway 2.

Does not see incoming IKE from Gateway 1.

 

single-direction ike.PNG

Ike debugging on Gateway 2 shows repeated 'Retransmit'.


2022-12-23 10:06:15.340812 ike 8:VPN_4.x:86716: sent IKE msg (SA_INIT): 0.0.0.13:500->0.0.0.82:500, len=448, id=caf7710739f4dd0d/0000000000000000

2022-12-23 10:06:18.348709 ike 8:VPN_4.x:86716: out 

2022-12-23 10:06:18.348860 ike 8:VPN_4.x:86716: sent IKE msg (RETRANSMIT_SA_INIT 0.0.0.13:500->0.0.0.82:500, len=448, id=caf7710739f4dd0d/0000000000000000

2022-12-23 10:06:20.348794 ike 8:VPN_4.x:VPN_4.x: IPsec SA connect 66 0.0.0.13->0.0.0.82:0

2022-12-23 10:06:20.348870 ike 8:VPN_4.x:VPN_4.x: using existing connection

2022-12-23 10:06:20.348894 ike 8:VPN_4.x:VPN_4.x: config found

2022-12-23 10:06:20.348914 ike 8:VPN_4.x: request is on the queue

2022-12-23 10:06:22.358758 ike shrank heap by 159744 bytes

2022-12-23 10:06:24.358720 ike 8:VPN_4.x:86716: out 2022-12-23 10:06:24.358870 ike 8:V,


The scenario described above is often caused by stale sessions between the Gateways (ISP routing).


When routing details change in ISP’s environment, IKE (UDP 500) packets may continue to flow via the old path due to the stale existing session.
Scope

FortiGate, any 3rd party IPSEC VPN gateway.
Solution

To clear out the stale UDP session, IKE traffic must be stopped completely until UDP session timers are expired on problematic routers.


Most networking devices will keep UDP sessions for up to 5 minutes.


This can be achieved by disabling the VPN interface on the FortiGate for 5 minutes. This prevents the FortiGate from generating UDP 500 traffic.

3rd party VPN gateways may have their own method of stopping IKE negotiation.


Re-enabling the VPN interface will resume the exchange of IKE traffic as a new session once those stale sessions are cleared out.
7228
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.