Fortigate

Hi,
I have a FortiGate 60C Firewall/Router installed a few days ago. After installation now I have no AIM iChat access and can't connect to icloud server to retrieve or send email via Mail application. If I removed the Fortigate all goes work normally. I think will be a TCP port problem but I verify the TCP ports for icloud mail and these are enable. Any has an idea or the same problem with a Fortigate?
Thannks for any help you can bring.
Warm Regards,
JT

JayZie wrote:
> Has anyone played with their firewalls??? I have 2 in production and
> they are one of the best firewalls I have used. I dig them better
> than the ASA boxes.
We have a low end one of these and I'm fairly impressed with the
feature set for the pricepoint. We did have issues with the UI
stopping on a regular basis but a few updates later that went away.
Our ERP vendor supplied us one for a permanent VPN for support - that's
been solid too.
The FW flavour of the month for me would have to be the offerings from
Palo Alto Networks.

Similar Messages

Cisco jabber for mac over fortigate vpn problem

Hi all,
We have installed the cisco jabber for mac successfully.Jabber client able to register locally successfully.
Calling and other features working properly. Jabber IM also working fine.
But when we try over vpn its shows error."services are missing".All the ports are open on fortigate firewall.

If you have detailed diagnostics from the Jabber Mac client, this would provide some more context to why it's displaying those errors. (Help > Detailed Logging enabled) (Help > Report a problem)
Another thing to check for would be DNS resolution of the configured servers when the Mac is VPN'd in. If Jabber cannot resolve the DNS name, it will not know where to connect to.
If the diagnostics are pointing towards a connectivity problem, but the firewall says it's wide open, then taking a packet capture on the Mac where Jabber is trying to register may illustrate what's going on at the network layer.

Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505

Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problem

any1 can help me ?

How-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device

Dear All
I have a 2504 Wireless Controller with multiple radios attached. I currently have a "private" WLAN configured (taking ip from windows server based DHCP of Range 192.1681.0/24 ) and working, but I need to add a Guest/Public WLAN which should take the IP from Other DHCP Configured on Fortigate UTM of range 172.16.0.0/24.
We have one SG300 switch in the office and the rest are basic switches.
Our firewall/router is a Fortigate UTM 240D
Find the attached network diagram for the issue.
Is there a SIMPLE way to enabling guest access that doesn't require VLANS (or are VLANS easier than I'm making them)?
Thanks.
- See more at: https://supportforums.cisco.com/discussion/12473186/how-do-i-configure-guest-wifi-access-using-2504-wlc-fortigate-utm-l3-device#sthash.aj1XcWI0.dpuf

Complete these steps in order to configure the devices for this network setup:
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/70937-guest-internal-wlan.html
Configure Dynamic Interfaces on the WLC for the Guest and Internal Users
Create WLANs for the Guest and Internal Users
Configure the Layer 2 Switch Port that Connects to the WLC as Trunk Port

ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

      I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#

Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx

Is it possible to add Fortigate 620B to CS-MARS v6.0?

Hi all,
I have a firewall Fortigate 620B and I want to add to CS-MARS. The link below to add it to mars:
http://firewallguru.blogspot.com/2008/09/fortinet-and-cisco-mars-integration.html
When I completed, it stay standalone, not connect to any networks.
So anybody show me how can I add and link the Fortigate to my network?
Tks anyway.

Neither Bluecoat is supported inherently in MARS, nor I'm aware of any custom parser for it (at least in the public domain).
Regards
Farrukh

SCOM Management pack for Checkpoint Firewall & Fortigate UTM

HI ,
Any body knows that is there Management pack for Checkpoint ( <cite>www.checkpoint.com ) </cite>and
Fortigate Appliance ( http://www.fortinet.com/products/fortigate/index.html ).
please advise me.
Regards, COMDINI

Hi,
If you cannot find them in system center marketplace:
http://systemcenter.pinpoint.microsoft.com/en-US/home
you can contact the vendors for management pack.
Alex Zhao
TechNet Community Support

Adding firewall Fortigate to CS-MARS 6.1.2

Hi all,
I'm having a problem when adding Fortigate 620B to CS-MARS. Although in MARS, I see options to add fortigate (3.0 Local), but after discovery, Fotigate is still standalone and doesn't link to any network. Log setting & SNMP is done on Forigate. So anyone try to add Fortigate to MARS and successfully.
Please help me if you have any ideas. I try to figure out this problem over two week with no success
Here is my config (see attachment files)
On Fortigate I setup MARS with IP 10.204.1.10 is my SNMP collector
On MARS I setup Fortigate with reporting IP 10.204.1.1
Two device are connect directly

I've trying to ipmport others custom pasers from this forum, getting
the same problem.

Westel 7500 / fortigate / multiple IP

Recently activated business dsl with verizon, purchased 5 ip addresses. Verizon provided westel 7500 modem. Replaced old Westel 2200 with new 7500. I have a fortigate router in place and configured to provide all protection, screening, routing that our company requires. Connection through the fortigate, through the old 2200, to internet worked flawlessly for past 4 years. Dsl circuit has always been through verizon, but through a second party ISP. Had ethic issues with old ISP and switched to Verizon as ISP, they offered multiple IP addresses, I accepted, hence the new 7500 was sent to replace my 2200. With westel tech support step by step help, set 7500 to bridge mode. With pc testing internet connectivity through fortigate, through 7500, could never connect to internet. Switched back to old 2200, no problem except could only handle 1 ip address. Tech support attempted on 5 occasions to resolve, no luck. Tech folks ranged from somewhat incompetent ( probably perfectly suited to help a residential customer with a standard tech issue) to seemingly knowledgeable .....but were ultimately unable to get the 7500 to function in front of fortigate. Last attempt tech said I should have a 6110, straight bridge modem, so I swapped out the 7500 for a 6110. She failed to mention that the 6110 could only handle 1 ip address. Yikes!!! I'm pulling my hair out, anybody have any input on this. I simply can't be the only business owner who wants to use multiple IP's on a single circuit from verizon and use my own firewall router. Help please if you have any ideas.

http://www.dslreports.com/faq/13600
Despite it's title, try thes directions at that URL.
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

Alta disponibilidad entre un FortiGate 300C y un ASA5545

Hola que tal, un cliente requiere de un esquema en donde un ASA 5545 se pueda implementar con un FortiGate en una red para un esquema de alta disponibilidad
Alguno de ustedes ha visto algo similar? Conocen de cuales serían los requerimientos para poder conectarlos?
Muchas gracias
Jesús Pérez

Hola comunidad ¡¡¡ me auto contesto a mi pregunta anterior, ERA COSA DE TIEMPO, google ya me ha hecho participe de sus resultados de busquedas ¡¡¡ asi que bueno era solo cosa de paciencia ¡¡
Saludos a todos ¡¡¡

RVS4000 -- Fortigate 200A

I'm attempting to set up an IPSEC VPN connection between my RVS4000 at home and my Fortigate 200A at work. I've verified all Phase 1 and Phase 2 settings and checked to make sure the shared key is identical on both units. When I try to initiate a connection, the log shows the following:
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: next payload type of ISAKMP Hash Payload has an unknown value: 172
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: malformed payload in packet
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #61: sending notification PAYLOAD_MALFORMED to {REMOTE_IPADDRESS}:500
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [RFC 3947] method set to=109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 25 10:50:54 - [VPN Log]: packet from {REMOTE_IPADDRESS}:500: received Vendor ID payload [Dead Peer Detection]
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: Aggressive mode peer ID is ID_IPV4_ADDR: {REMOTE_IPADDRESS}'
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: responding to Aggressive Mode, state #62, connection "Fortigate" from {REMOTE_IPADDRESS}
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: STATE_AGGR_R1: sent AR1, expecting AI2
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: packet rejected: should have been encrypted
Feb 25 10:50:54 - [VPN Log]: "Fortigate" #62: sending notification INVALID_FLAGS to {REMOTE_IPADDRESS}:500
Feb 25 10:50:55 - [VPN Log]: "Fortigate" #63: initiating Aggressive Mode #63, connection "Fortigate"
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:56 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level
Feb 25 10:50:58 - [VPN Log]: "Fortigate" #63: sending notification INVALID_PAYLOAD_TYPE to {REMOTE_IPADDRESS}:500
No connection is ever made. Does anyone know what I should be looking at to fix this???

Hello,
I am not sure of what the problem is, however there are several messages below for why a packet or communication is denied. "packet should be encrypted, message ignored because it contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D) at the outermost level, etc ..."
It looks like something in the config parameters is not matching.
Does Fortigate have any literature for how you can connect different vendor's VPN? Is there a 'standardized' method for connecting multiple vendors with the Fortigate?
Perhaps someone much smarter than me on this community has some additioanl suggestions, however I would suggest checking with Fortigate and seeing if they have a config guide that explains how to connect to 3rd party vendors and which settings will be standard and accepted.
Also, you may consider posting your config here. Just be sure to remove any information that is sensitive and you don't want to be shared.
HTH,
Andrew Lissitz

Fortigate Device Monitoring with SNMP

HI
I have SCOM 2012 R2 in my environment. I want to do network device monitoring for Fortigate routers\firewalls. I have configured all firewall ports between my management server and fortigate device. I have created SNMP v1,v2 run as account and have added
community string in network device as well. When i create the rule and run it, my fortigate device appears in the Network Device Pending management. On alerts pane i can see that the rule discovery is failing. The error log says there might be problem in credentials
or firewall settings. But i have configured all of them properly. Please help

Hi,
Please refer to the link below:
How to Discover Network Devices in Operations Manager
https://technet.microsoft.com/en-us/library/hh278846.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Fortigate on Windows Server Problem

Someone suggested I post this question here...hopefully, this is the right place, and someone can give me an answer.
I was just given a new Mac Pro with OS X 10.6.8. Previously I was working on a Windows machine.
Switching over went well...I have access to the Exchange Server and am able to get all of my email. I can also access the Windows server volumes and have no problems with that.
My problem is that I'm hitting a wall (literally) with our company's Fortigate Firewall. On my Windows machine, I had full access to the internet. But, with my Mac, for some reason, Fortigate is not seeing me as logged in as a Fortigate user, so, I'm blocked. Unfortunately, our "IT Manager" is someone who hates the Mac platform, was unwilling to approve the purchase of a Mac, then basically said that I was on my own as far as technical support. We do have an outside agency that handles all of our tech support (our "IT Manager" is basically just a liason for the off site support company), but the off site support company also seems to not know a whole lot about Macs.
When I asked the off site company about possible solutions to my problem, our "IT Manager" got involved, did some ranting about the incompatibility of Macs, and I was basically told:
A Mac, as it does not perform NTLM authentication to the domain by default, will not be able to authenticate and show up as a user in the FortiGate. It will continue to fall into the ‘guest’ account category.
There are three ways around this:
Add the Mac to the domain and make it login every time (this will present other management overhead issues regarding file share access, printer access, etc., which can certainly be taken care of, it will just be about 1-2 hours of on-site work to test and configure completely).
Give the Mac a ‘sticky’ DHCP address so that it uses its own UTM policy on the firewall (easy way out).
Create an approved corporate IT policy and force her to use a PC by disallowing non-Windows based PCs on the network as they present an unmanageable security risk (Macs are usually supported on Windows-based networks in corporate environments, but only on a best-effort ‘you-choose-it-so-you-support-it’ basis).
I then asked the off site support company whether or not I can configure my Mac to use a proxy server ip address and solve the problem that way, and I was told that the firewall "was not set up that way."
I know that Fortigate is compatible with Macs, and it just seems like this is being made out to be more difficult than it has to be. I'm ok with doing my own tech support for my Mac, but the IT people I'm dealing with just seem to either refuse to give me any useful information, or just seem to not know what they're doing (which is typical). I hate to keep going to our IT people with this problem, because every time I do, I (and my boss) get an earful about how Macs are incompatible and we should not have allowed the Mac on the network in the first place.
So, I guess my question is: Is there a way that I can set this up myself on my end so that the Fortigate Firewall will see me as a registered user? Or are the solutions listed by our support service the only options for me?

Maybe it's a little late, but if it helps someone.
I have had the same problem and the cause was that the host name was too long.
I put a name shorter and the error has disappeared

GRE IPSec between Cisco 2811 and FortiGate 110C

Hello,
Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

Hi,
You can configure the GRE tunnel on the 2811.
I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
Federico.

WLC 5508 integration with fortigate and Guest Vlan

Hi
I have 5508 Cisco WLC and i want to connect my wlc one port to fortigate (FW) for direct internet.
And other port in WLC i will connect on Cisco Core Switch for other SSID's and for management. Now the question is how to divide port in WLC 5508, how to point layer 3 traffic if don't configure switch port as trunk.
Kindly what will be best solution.

sh etherchannel 99 sum
Flags: D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      N - not in use, no aggregation
        f - failed to allocate aggregator
        M - not in use, no aggregation due to minimum links not met
        m - not in use, port not aggregated due to minimum links not met
        u - unsuitable for bundling
        d - default port
        w - waiting to be aggregated
Number of channel-groups in use: 38
Number of aggregators:           38
Group Port-channel Protocol    Ports
------+-------------+-----------+-----------------------------------------------
99     Po99(SU)         -        Gi2/2/1(P)     Gi2/2/2(P)     Gi2/2/3(D)
                                 Gi2/2/4(P)
Last applied Hash Distribution Algorithm: Fixed
Gi2/2/3 is down becasue we had to shut down the interface because when it is up many APs refuse to register.

Fortigate

Similar Messages

Maybe you are looking for