VPN with fqdn denying ike 500

cancel
Showing results for 
Search instead for 
Did you mean: 

VPN with fqdn denying ike 500

Not applicable

Hello,

I'm trying to setup a ipsec vpn with a fortigate which has dynamic ip as gateway.

I have a security policy which allows all packets from the dynamic ip (fqdn) but if i type the command 'show log traffic src in x.x.x.x' i can see that i have an incoming request which Palo Alto denies.

The weird thing is that this allow rule contains all other vpn gateways which are with static ip addresses and the only difference is that this one is defined with fqdn.

Any help would be greatly appreciated.

Thank you,

Chris

5 REPLIES 5

L4 Transporter

Dynamic like constantly changing or dynamic like a DHCP lease?

I think the FQDN job runs every 30 minutes or after a commit.

So it's not constantly asking for the IP of the FQDN.

Thank you for your reply.

It's just a dsl connection with dynamic ip and ttl value 86400.

I could see from console that the fqdn was correctly resolving to the new ip addresss.

Another weird behavior: I forced the active unit to suspend mode and when the passive unit returned to active, the vpn worked! Then I switched again the units and it was working. The two configurations were synchronized correctly and there was no configuration change at all...

This morning all ipsec vpns are working except this one with the dynamic ip.

Assuming that the fortigate is initiating the VPN you should get very useful debugging messages in the Palo Alto Device's system logs regarding the reason for the VPN initiation failure.

Have you tried that route for debugging the issue?

-Benjamin

Yes fortigate initiates the vpn connection but the weird thing is that i don't see any logs under Monitor -> System. I can see only under Monitor -> traffic where the firewall denies the specific packet (ike 500).

When switching the ha pair from active to passive, I can see normal logs and the vpn is working until the public ip address changes in the fortigate...

I think it has to do with the fortigate and the way it initiates the vpn connection..??

Thank you,

Chris

If this continues to be a problem you should open a ticket with support.

SK

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!