topic Re: Strange traffic selectors in General Topics

Strange traffic selectors

ibrown — Mon, 29 Sep 2025 11:33:21 GMT

Hello All,

I've been trying to establish a tunnel with a third party Fortigate in AWS, and whilst I have a working tunnel, I am seeing most peculiar errors coming back from the Fortigate, it basically is rejecting my traffic selectors, but I don't understand how the traffic selectors are being built. I have an R81.20 cluster with a specific vpn domain and we seem to be sending every address it knows about, even though they are outside the encryption domain and in some cases our infrastructure; even the sync interfaces are in there. I've even got the tunnel config for this 3rd party overriding the default and supplying a single address as the encryption domain, and yet this still comes back.

The other VPNs connected to this cluster are star with no routing through the center gateway. This tunnel is set to host to host, partly as that is what I was asked for, and partly because setting it to gateway-to-gateway it does not work, it does the phase1 and phase 2 but encrypted outbound traffic does not reach the host behind the endpoint.

Time: 2025-09-29T10:39:51Z
Interface Direction: inbound
Interface Name: daemon
Source: <Single 3rd party vpn terminator>
Destination: <internal address>
VPN Peer Gateway: <Single 3rd party vpn terminator>
Scheme: IKEv2 [UDP (IPv4)]
Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr:
IKE Initiator Cookie: 97644c4ac718ec96
IKE Responder Cookie: 1ee98d9668bb508e
IKE Phase2 Message ID: 00000002
IKE IDs: <Single 3rd party vpn terminator>
Community: VPN_fortigate
Reject Category: IKE failure
VPN Feature: IKE
Action: Reject
Type: Log
Blade: VPN
Interface: daemon

Any ideas ?

Many thanks

Ian

Re: Strange traffic selectors

the_rock — Mon, 29 Sep 2025 11:59:54 GMT

Hey mate,

Just make sure you have right things selected in what I attached. You can add as many as needed. I have fully licenses Fortigate lab, so if you want me to test anything, let me know. Its on latest firmware, 7.6.4

Andy

Re: Strange traffic selectors

ibrown — Mon, 29 Sep 2025 12:10:25 GMT

Thanks Andy. As that is not under my control, I will ask them what they have. When I had debug on, I was seeing 'universal group' coming back, so I think that is what is set.

Re: Strange traffic selectors

the_rock — Mon, 29 Sep 2025 12:14:37 GMT

Im 100% sure thats what it is. Otherwise, Fortigate would never throw message like that.

Not sure where they saw it, but you can have them run debug like this, if they have not already:

di de di

di de app ike -1

di de en

-get the output

then have them run -> di de di

Best,

Andy

Re: Strange traffic selectors

the_rock — Mon, 29 Sep 2025 12:19:17 GMT

From my lab.

Andy

***********

Fortigate-VM # di de di

Fortigate-VM # di de app ike -1
Debug messages will be on for 30 minutes.

Fortigate-VM # di de en

Fortigate-VM #

Fortigate-VM # get sys status
Version: FortiGate-VM64-KVM v7.6.4,build3596,250820 (GA.F)
First GA patch build date: 240724
Current Security Level: High
Firmware Signature: certified
Virus-DB: 93.06103(2025-09-28 22:31)
Extended DB: 93.06103(2025-09-28 22:31)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 4.03282(2025-09-28 21:50)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 34.00091(2025-09-26 00:22)
IPS-MLDB: 2507.00207(2025-07-30 01:00)
APP-DB: 34.00090(2025-09-25 00:37)
AIAP-DB: 34.00090(2025-09-25 00:37)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 34.00091(2025-09-26 00:22)
Proxy-APP-DB: 34.00090(2025-09-25 00:37)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 5.00550(2025-09-29 01:23)
IoT-Detect: 34.00091(2025-09-25 11:25)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.01154(2025-08-13 22:24)
Timezone DB Version: 1.0007
Timezone DB IANA Version: 2024b
Serial-Number: FGVMSLTM25001105
License Status: Valid
License Expiration Date: 2025-11-28
VM Resources: 2 CPU/2 allowed, 3850 MB RAM
Log hard disk: Not available
Hostname: Fortigate-VM
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 3596
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Sep 29 08:18:49 2025
Last reboot reason: power cycle

Fortigate-VM #

Re: Strange traffic selectors

ibrown — Mon, 29 Sep 2025 14:00:15 GMT

Hi Andy,

Apparently it's set to a single host, as per my end. What puzzles me more, is why my CP cluster is sending such a big traffic selector, surely that isn't normal ? It's got other 3rd party vpn endpoints in it, which are not routeable via the cluster so should never be there.

Ian

Re: Strange traffic selectors

the_rock — Mon, 29 Sep 2025 14:01:07 GMT

Can you show how is tunnel management configured in vpn community?

Andy

Re: Strange traffic selectors

ibrown — Mon, 29 Sep 2025 14:05:27 GMT

Certainly, nothing special

Re: Strange traffic selectors

the_rock — Mon, 29 Sep 2025 14:34:31 GMT

K, fair enough, so then traffic selectors phase 2 have to match on FGT.

Andy

Re: Strange traffic selectors

the_rock — Wed, 01 Oct 2025 11:43:24 GMT

Hey mate,

Were you able to sort this out?

Best,

Andy

Re: Strange traffic selectors

ibrown — Wed, 01 Oct 2025 13:23:08 GMT

Sadly not. The 3rd party is a gov institution so I only get so much info. We've tried a host encryption domain on the fortigate and a universal one, only the former works but sends the errors.

Re: Strange traffic selectors

the_rock — Wed, 01 Oct 2025 13:24:08 GMT

Hey,

Just to make sure, so currently, on FGT, its set as hosts? If yes, same error as before?

Andy

Re: Strange traffic selectors

ibrown — Wed, 01 Oct 2025 13:52:18 GMT

Yes, exactly. When set to gateway to gateway on the CP end and 0.0.0.0 on the fortigate I saw the key exchange but traffic did not flow correctly. Hence reverting to this.

Re: Strange traffic selectors

the_rock — Wed, 01 Oct 2025 13:57:05 GMT

Right, but what when its set to host?

Andy

Re: Strange traffic selectors

ibrown — Wed, 01 Oct 2025 14:02:24 GMT

when host to host, key exchange and success, but the fortigate reply complaining about the traffic selectors.

Re: Strange traffic selectors

the_rock — Wed, 01 Oct 2025 14:05:07 GMT

To me, though only way to tell for sure would be if I saw it via remote, but base don below, seems like GFT side "thinks" that either its own selectors are hosts and other side is everething else, or the other way around.

Andy

Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr:

Re: Strange traffic selectors

ibrown — Wed, 01 Oct 2025 14:11:13 GMT

Agreed, I am going to take this up with the TAC, as I can't fathom why my gateway should ever expose those addresses.

Thank you for the help !

Re: Strange traffic selectors

the_rock — Wed, 01 Oct 2025 14:17:34 GMT

Sounds good, keep us posted!

Andy