topic Re: VPN with fqdn denying ike 500 in General Topics

VPN with fqdn denying ike 500

cskodras — Thu, 22 Dec 2011 15:44:37 GMT

Hello,

I'm trying to setup a ipsec vpn with a fortigate which has dynamic ip as gateway.

I have a security policy which allows all packets from the dynamic ip (fqdn) but if i type the command 'show log traffic src in x.x.x.x' i can see that i have an incoming request which Palo Alto denies.

The weird thing is that this allow rule contains all other vpn gateways which are with static ip addresses and the only difference is that this one is defined with fqdn.

Any help would be greatly appreciated.

Thank you,

Chris

Re: VPN with fqdn denying ike 500

mharding — Thu, 22 Dec 2011 17:46:03 GMT

Dynamic like constantly changing or dynamic like a DHCP lease?

I think the FQDN job runs every 30 minutes or after a commit.

So it's not constantly asking for the IP of the FQDN.

Re: VPN with fqdn denying ike 500

cskodras — Fri, 23 Dec 2011 08:04:15 GMT

Thank you for your reply.

It's just a dsl connection with dynamic ip and ttl value 86400.

I could see from console that the fqdn was correctly resolving to the new ip addresss.

Another weird behavior: I forced the active unit to suspend mode and when the passive unit returned to active, the vpn worked! Then I switched again the units and it was working. The two configurations were synchronized correctly and there was no configuration change at all...

This morning all ipsec vpns are working except this one with the dynamic ip.

Re: VPN with fqdn denying ike 500

bpappas — Fri, 30 Dec 2011 00:45:52 GMT

Assuming that the fortigate is initiating the VPN you should get very useful debugging messages in the Palo Alto Device's system logs regarding the reason for the VPN initiation failure.

Have you tried that route for debugging the issue?

-Benjamin

Re: VPN with fqdn denying ike 500

cskodras — Fri, 30 Dec 2011 09:45:35 GMT

Yes fortigate initiates the vpn connection but the weird thing is that i don't see any logs under Monitor -> System. I can see only under Monitor -> traffic where the firewall denies the specific packet (ike 500).

When switching the ha pair from active to passive, I can see normal logs and the vpn is working until the public ip address changes in the fortigate...

I think it has to do with the fortigate and the way it initiates the vpn connection..??

Thank you,

Chris

Re: VPN with fqdn denying ike 500

skrall — Fri, 30 Dec 2011 18:27:46 GMT

If this continues to be a problem you should open a ticket with support.