Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ibrown
Contributor

Strange traffic selectors

Hello All,

I've been trying to establish a tunnel with a third party Fortigate in AWS, and whilst I have a working tunnel, I am seeing most peculiar errors coming back from the Fortigate, it basically is rejecting my traffic selectors, but I don't understand how the traffic selectors are being built. I have an R81.20 cluster with a specific vpn domain and we seem to be sending every address it knows about, even though they are outside the encryption domain and in some cases our infrastructure; even the sync interfaces are in there. I've even got the tunnel config for this 3rd party overriding the default and supplying a single address as the encryption domain, and yet this still comes back.

The other VPNs connected to this cluster are star with no routing through the center gateway. This tunnel is set to host to host, partly as that is what I was asked for, and partly because setting it to gateway-to-gateway it does not work, it does the phase1 and phase 2 but encrypted outbound traffic does not reach the host behind the endpoint.

Time: 2025-09-29T10:39:51Z
Interface Direction: inbound
Interface Name: daemon
Source: <Single 3rd party vpn terminator>
Destination: <internal address>
VPN Peer Gateway: <Single 3rd party vpn terminator>
Scheme: IKEv2 [UDP (IPv4)]
Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr:
IKE Initiator Cookie: 97644c4ac718ec96
IKE Responder Cookie: 1ee98d9668bb508e
IKE Phase2 Message ID: 00000002
IKE IDs: <Single 3rd party vpn terminator>
Community: VPN_fortigate
Reject Category: IKE failure
VPN Feature: IKE
Action: Reject
Type: Log
Blade: VPN
Interface: daemon

 

Any ideas ?

Many thanks

Ian

0 Kudos
17 Replies
the_rock
MVP Gold
MVP Gold

Hey mate,

Just make sure you have right things selected in what I attached. You can add as many as needed. I have fully licenses Fortigate lab, so if you want me to test anything, let me know. Its on latest firmware, 7.6.4

Andy

0 Kudos
ibrown
Contributor

Thanks Andy. As that is not under my control, I will ask them what they have. When I had debug on, I was seeing 'universal group' coming back, so I think that is what is set.

 

0 Kudos
the_rock
MVP Gold
MVP Gold

Im 100% sure thats what it is. Otherwise, Fortigate would never throw message like that.

Not sure where they saw it, but you can have them run debug like this, if they have not already:

di de di

di de app ike -1

di de en

-get the output

then have them run -> di de di

Best,

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

From my lab.

Andy

***********

Fortigate-VM # di de di

Fortigate-VM # di de app ike -1
Debug messages will be on for 30 minutes.

Fortigate-VM # di de en

Fortigate-VM #


Fortigate-VM # get sys status
Version: FortiGate-VM64-KVM v7.6.4,build3596,250820 (GA.F)
First GA patch build date: 240724
Current Security Level: High
Firmware Signature: certified
Virus-DB: 93.06103(2025-09-28 22:31)
Extended DB: 93.06103(2025-09-28 22:31)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 4.03282(2025-09-28 21:50)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 34.00091(2025-09-26 00:22)
IPS-MLDB: 2507.00207(2025-07-30 01:00)
APP-DB: 34.00090(2025-09-25 00:37)
AIAP-DB: 34.00090(2025-09-25 00:37)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 34.00091(2025-09-26 00:22)
Proxy-APP-DB: 34.00090(2025-09-25 00:37)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 5.00550(2025-09-29 01:23)
IoT-Detect: 34.00091(2025-09-25 11:25)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.01154(2025-08-13 22:24)
Timezone DB Version: 1.0007
Timezone DB IANA Version: 2024b
Serial-Number: FGVMSLTM25001105
License Status: Valid
License Expiration Date: 2025-11-28
VM Resources: 2 CPU/2 allowed, 3850 MB RAM
Log hard disk: Not available
Hostname: Fortigate-VM
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 3596
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Sep 29 08:18:49 2025
Last reboot reason: power cycle

Fortigate-VM #

 

0 Kudos
ibrown
Contributor

Hi Andy,

Apparently it's set to a single host, as per my end. What puzzles me more, is why my CP cluster is sending such a big traffic selector, surely that isn't normal ? It's got other 3rd party vpn endpoints in it, which are not routeable via the cluster so should never be there.

Ian

 

0 Kudos
the_rock
MVP Gold
MVP Gold

Can you show how is tunnel management configured in vpn community?

Andy

0 Kudos
ibrown
Contributor

Certainly, nothing special

 
 

tunnel.png

 

0 Kudos
the_rock
MVP Gold
MVP Gold

K, fair enough, so then traffic selectors phase 2 have to match on FGT.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey mate,

Were you able to sort this out?

Best,

Andy

0 Kudos
ibrown
Contributor

Sadly not. The 3rd party is a gov institution so I only get so much info. We've tried a host encryption domain on the fortigate and a universal one, only the former works but sends the errors.

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey,

Just to make sure, so currently, on FGT, its set as hosts? If yes, same error as before?

Andy

0 Kudos
ibrown
Contributor

Yes, exactly. When set to gateway to gateway on the CP end and 0.0.0.0 on the fortigate I saw the key exchange but traffic did not flow correctly. Hence reverting to this.

 

0 Kudos
the_rock
MVP Gold
MVP Gold

Right, but what when its set to host?

Andy

0 Kudos
ibrown
Contributor

when host to host, key exchange and success, but the fortigate reply complaining about the traffic selectors.

 

0 Kudos
the_rock
MVP Gold
MVP Gold

To me, though only way to tell for sure would be if I saw it via remote, but base don below, seems like GFT side "thinks" that either its own selectors are hosts and other side is everething else, or the other way around.

Andy

Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr: 

ibrown
Contributor

Agreed, I am going to take this up with the TAC, as I can't fathom why my gateway should ever expose those addresses.

Thank you for the help !

 

the_rock
MVP Gold
MVP Gold

Sounds good, keep us posted!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events