Thanks Andy. As that is not under my control, I will ask them what they have. When I had debug on, I was seeing 'universal group' coming back, so I think that is what is set.

Im 100% sure thats what it is. Otherwise, Fortigate would never throw message like that.

Not sure where they saw it, but you can have them run debug like this, if they have not already:

di de di

di de app ike -1

di de en

-get the output

then have them run -> di de di

Best,

Andy

From my lab.

Andy

***********

Fortigate-VM # di de di

Fortigate-VM # di de app ike -1
Debug messages will be on for 30 minutes.

Fortigate-VM # di de en

Fortigate-VM #

Fortigate-VM # get sys status
Version: FortiGate-VM64-KVM v7.6.4,build3596,250820 (GA.F)
First GA patch build date: 240724
Current Security Level: High
Firmware Signature: certified
Virus-DB: 93.06103(2025-09-28 22:31)
Extended DB: 93.06103(2025-09-28 22:31)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 4.03282(2025-09-28 21:50)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 34.00091(2025-09-26 00:22)
IPS-MLDB: 2507.00207(2025-07-30 01:00)
APP-DB: 34.00090(2025-09-25 00:37)
AIAP-DB: 34.00090(2025-09-25 00:37)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 34.00091(2025-09-26 00:22)
Proxy-APP-DB: 34.00090(2025-09-25 00:37)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 5.00550(2025-09-29 01:23)
IoT-Detect: 34.00091(2025-09-25 11:25)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.01154(2025-08-13 22:24)
Timezone DB Version: 1.0007
Timezone DB IANA Version: 2024b
Serial-Number: FGVMSLTM25001105
License Status: Valid
License Expiration Date: 2025-11-28
VM Resources: 2 CPU/2 allowed, 3850 MB RAM
Log hard disk: Not available
Hostname: Fortigate-VM
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 3596
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Sep 29 08:18:49 2025
Last reboot reason: power cycle

Fortigate-VM #

Hi Andy,

Apparently it's set to a single host, as per my end. What puzzles me more, is why my CP cluster is sending such a big traffic selector, surely that isn't normal ? It's got other 3rd party vpn endpoints in it, which are not routeable via the cluster so should never be there.

Ian

Can you show how is tunnel management configured in vpn community?

Andy

Certainly, nothing special

K, fair enough, so then traffic selectors phase 2 have to match on FGT.

Andy

Hey mate,

Were you able to sort this out?

Best,

Andy

Sadly not. The 3rd party is a gov institution so I only get so much info. We've tried a host encryption domain on the fortigate and a universal one, only the former works but sends the errors.

Hey,

Just to make sure, so currently, on FGT, its set as hosts? If yes, same error as before?

Andy

Yes, exactly. When set to gateway to gateway on the CP end and 0.0.0.0 on the fortigate I saw the key exchange but traffic did not flow correctly. Hence reverting to this.

Right, but what when its set to host?

Andy

when host to host, key exchange and success, but the fortigate reply complaining about the traffic selectors.

To me, though only way to tell for sure would be if I saw it via remote, but base don below, seems like GFT side "thinks" that either its own selectors are hosts and other side is everething else, or the other way around.

Andy

Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr: 

Agreed, I am going to take this up with the TAC, as I can't fathom why my gateway should ever expose those addresses.

Thank you for the help !

Sounds good, keep us posted!

Andy