- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello All,
I've been trying to establish a tunnel with a third party Fortigate in AWS, and whilst I have a working tunnel, I am seeing most peculiar errors coming back from the Fortigate, it basically is rejecting my traffic selectors, but I don't understand how the traffic selectors are being built. I have an R81.20 cluster with a specific vpn domain and we seem to be sending every address it knows about, even though they are outside the encryption domain and in some cases our infrastructure; even the sync interfaces are in there. I've even got the tunnel config for this 3rd party overriding the default and supplying a single address as the encryption domain, and yet this still comes back.
The other VPNs connected to this cluster are star with no routing through the center gateway. This tunnel is set to host to host, partly as that is what I was asked for, and partly because setting it to gateway-to-gateway it does not work, it does the phase1 and phase 2 but encrypted outbound traffic does not reach the host behind the endpoint.
Time: 2025-09-29T10:39:51Z
Interface Direction: inbound
Interface Name: daemon
Source: <Single 3rd party vpn terminator>
Destination: <internal address>
VPN Peer Gateway: <Single 3rd party vpn terminator>
Scheme: IKEv2 [UDP (IPv4)]
Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr:
IKE Initiator Cookie: 97644c4ac718ec96
IKE Responder Cookie: 1ee98d9668bb508e
IKE Phase2 Message ID: 00000002
IKE IDs: <Single 3rd party vpn terminator>
Community: VPN_fortigate
Reject Category: IKE failure
VPN Feature: IKE
Action: Reject
Type: Log
Blade: VPN
Interface: daemon
Any ideas ?
Many thanks
Ian
Thanks Andy. As that is not under my control, I will ask them what they have. When I had debug on, I was seeing 'universal group' coming back, so I think that is what is set.
Im 100% sure thats what it is. Otherwise, Fortigate would never throw message like that.
Not sure where they saw it, but you can have them run debug like this, if they have not already:
di de di
di de app ike -1
di de en
-get the output
then have them run -> di de di
Best,
Andy
From my lab.
Andy
***********
Fortigate-VM # di de di
Fortigate-VM # di de app ike -1
Debug messages will be on for 30 minutes.
Fortigate-VM # di de en
Fortigate-VM #
Fortigate-VM # get sys status
Version: FortiGate-VM64-KVM v7.6.4,build3596,250820 (GA.F)
First GA patch build date: 240724
Current Security Level: High
Firmware Signature: certified
Virus-DB: 93.06103(2025-09-28 22:31)
Extended DB: 93.06103(2025-09-28 22:31)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 4.03282(2025-09-28 21:50)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 34.00091(2025-09-26 00:22)
IPS-MLDB: 2507.00207(2025-07-30 01:00)
APP-DB: 34.00090(2025-09-25 00:37)
AIAP-DB: 34.00090(2025-09-25 00:37)
Proxy-IPS-DB: 6.00741(2015-12-01 02:30)
Proxy-IPS-ETDB: 34.00091(2025-09-26 00:22)
Proxy-APP-DB: 34.00090(2025-09-25 00:37)
FMWP-DB: 0.00000(2001-01-01 00:00)
IPS Malicious URL Database: 5.00550(2025-09-29 01:23)
IoT-Detect: 34.00091(2025-09-25 11:25)
OT-Detect-DB: 0.00000(2001-01-01 00:00)
OT-Patch-DB: 0.00000(2001-01-01 00:00)
OT-Threat-DB: 6.00741(2015-12-01 02:30)
IPS-Engine: 7.01154(2025-08-13 22:24)
Timezone DB Version: 1.0007
Timezone DB IANA Version: 2024b
Serial-Number: FGVMSLTM25001105
License Status: Valid
License Expiration Date: 2025-11-28
VM Resources: 2 CPU/2 allowed, 3850 MB RAM
Log hard disk: Not available
Hostname: Fortigate-VM
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 3596
Release Version Information: GA
FortiOS x86-64: Yes
System time: Mon Sep 29 08:18:49 2025
Last reboot reason: power cycle
Fortigate-VM #
Hi Andy,
Apparently it's set to a single host, as per my end. What puzzles me more, is why my CP cluster is sending such a big traffic selector, surely that isn't normal ? It's got other 3rd party vpn endpoints in it, which are not routeable via the cluster so should never be there.
Ian
Can you show how is tunnel management configured in vpn community?
Andy
Certainly, nothing special
K, fair enough, so then traffic selectors phase 2 have to match on FGT.
Andy
Hey mate,
Were you able to sort this out?
Best,
Andy
Sadly not. The 3rd party is a gov institution so I only get so much info. We've tried a host encryption domain on the fortigate and a universal one, only the former works but sends the errors.
Hey,
Just to make sure, so currently, on FGT, its set as hosts? If yes, same error as before?
Andy
Yes, exactly. When set to gateway to gateway on the CP end and 0.0.0.0 on the fortigate I saw the key exchange but traffic did not flow correctly. Hence reverting to this.
Right, but what when its set to host?
Andy
when host to host, key exchange and success, but the fortigate reply complaining about the traffic selectors.
To me, though only way to tell for sure would be if I saw it via remote, but base don below, seems like GFT side "thinks" that either its own selectors are hosts and other side is everething else, or the other way around.
Andy
Ike: Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: <every address the gateway cluster knows about, including the sync interfaces and other vpn devices> MyTSr: <Single 3rd party vpn terminator> <Single 3rd party vpn host> <224.0.0.0 - 224.0.0.255> Peer TSi: <Single 3rd party vpn terminator> Peer TSr:
Agreed, I am going to take this up with the TAC, as I can't fathom why my gateway should ever expose those addresses.
Thank you for the help !
Sounds good, keep us posted!
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
13 | |
12 | |
11 | |
8 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY