- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2011 07:44 AM
Hello,
I'm trying to setup a ipsec vpn with a fortigate which has dynamic ip as gateway.
I have a security policy which allows all packets from the dynamic ip (fqdn) but if i type the command 'show log traffic src in x.x.x.x' i can see that i have an incoming request which Palo Alto denies.
The weird thing is that this allow rule contains all other vpn gateways which are with static ip addresses and the only difference is that this one is defined with fqdn.
Any help would be greatly appreciated.
Thank you,
Chris
12-23-2011 12:04 AM
Thank you for your reply.
It's just a dsl connection with dynamic ip and ttl value 86400.
I could see from console that the fqdn was correctly resolving to the new ip addresss.
Another weird behavior: I forced the active unit to suspend mode and when the passive unit returned to active, the vpn worked! Then I switched again the units and it was working. The two configurations were synchronized correctly and there was no configuration change at all...
This morning all ipsec vpns are working except this one with the dynamic ip.
12-29-2011 04:45 PM
Assuming that the fortigate is initiating the VPN you should get very useful debugging messages in the Palo Alto Device's system logs regarding the reason for the VPN initiation failure.
Have you tried that route for debugging the issue?
-Benjamin
12-30-2011 01:45 AM
Yes fortigate initiates the vpn connection but the weird thing is that i don't see any logs under Monitor -> System. I can see only under Monitor -> traffic where the firewall denies the specific packet (ike 500).
When switching the ha pair from active to passive, I can see normal logs and the vpn is working until the public ip address changes in the fortigate...
I think it has to do with the fortigate and the way it initiates the vpn connection..??
Thank you,
Chris
12-30-2011 10:27 AM
If this continues to be a problem you should open a ticket with support.
SK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!