Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kumarh
Staff
Staff

Created on ‎03-12-2024 10:55 PM Edited on ‎03-12-2024 10:56 PM By Community Manager

Article Id 304205

 Troubleshooting Tip: Error 'received notify type AUTHENTICATION_FAILED' isobtained when the IPSEC tunnel is down

Description

 This article describes how to process the error 'received notify type AUTHENTICATION_FAILED' obtained when the IPSEC tunnel is down.
Scope FortiGate v7.0.0.
Solution
  • It is necessary to configure the below settings when the FortiGate is deployed in the Cloud. If it is the First, run ike debugs and see the error:


diagnose vpn ike log-filter dst-addr4 [remote-peer]
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

  • If the following error is visible, it should be visible like the following:

 

2024-03-12 18:07:06.761429 ike 0:Fortigate:370445: sent IKE msg (AUTH): 10.17.4.132:4500->103.9.225.1:4500, len=240, vrf=0, id=d877b92d9f8675a0/5929808be8170f37:0000
0001
2024-03-12 18:07:06.904098 ike 0: comes 103.9.225.1:4500->10.17.4.132:4500,ifindex=4,vrf=0....
2024-03-12 18:07:06.904935 ike 0: IKEv2 exchange=AUTH_RESPONSE id=d877b92d9f8675a0/5929808be8170f37:00000001 len=80
2024-03-12 18:07:06.905366 ike 0: in D877B92D9F8675A05929808BE8170F372E20232000000001000000502900003408DDB68445805F9546822E9AAED2872950F08084B196277203B901495E095CAC23
EC5D0A42427DD07D30432AE82911C1
2024-03-12 18:07:06.905898 ike 0:MPHASIS-EON: HA state master(2)
2024-03-12 18:07:06.906319 ike 0:MPHASIS-EON:370445: dec D877B92D9F8675A05929808BE8170F372E2023200000000100000028290000040000000800000018
2024-03-12 18:07:06.906950 ike 0:MPHASIS-EON:370445: initiator received AUTH msg <----- The Remote side was acting as a responder and they have received the authentication message.
2024-03-12 18:07:06.907296 ike 0:MPHASIS-EON:370445: received notify type AUTHENTICATION_FAILED

 

  • In cloud platforms, other vendors/remote peers sometimes expect the local ID to be the FortiGate interface Public IP. It is necessary to configure the local ID and local ID type in the phase1-interface.

 

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type keyid
        set localid <(WAN-PUBLIC-IP>
    end
342
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.