Azure to FortiGate VPN Phase 2 Traffic Selector Mismatch Problem

Ty 25 Reputation points
2023-05-22T16:58:32.5133333+00:00

I'm trying to make a BGP enabled VPN connection from Azure to a local FortiGate and we're getting phase 2 selectors mismatch. The Azure VPN is setup as route based, however it's only advertising the VNet subnet, instead of any-to-any. We originally had the Fortigate setup with 0.0.0.0/0 traffic selectors, but when Azure wasn't matching we tried to match Azure. Here's the log from the FortiGate:

ike 6:Azure_VPN:12436319:25869722: peer proposal is: peer:0:10.10.0.0-10.10.255.255:0, me:0:169.254.21.2-169.254.21.2:0
ike 6:Azure_VPN:12436319:Azure_VPN:25869722: trying
ike 6:Azure_VPN:12436319:25869722: specified selectors mismatch
ike 6:Azure_VPN:12436319:25869722: peer: type=7/7, local=0:169.254.21.2-169.254.21.2:0, remote=0:10.10.0.0-10.10.255.255:0
ike 6:Azure_VPN:12436319:25869722: mine: type=7/7, local=0:10.1.0.0-10.1.255.255:0, remote=0:10.10.0.0-10.10.255.255:0
ike 6:Azure_VPN:12436319:Azure_VPN_2:25869722: trying
ike 6:Azure_VPN:12436319:25869722: specified selectors mismatch
ike 6:Azure_VPN:12436319:25869722: peer: type=7/7, local=0:169.254.21.2-169.254.21.2:0, remote=0:10.10.0.0-10.10.255.255:0
ike 6:Azure_VPN:12436319:25869722: mine: type=7/7, local=0:10.1.0.0-10.1.255.255:0, remote=0:172.17.32.0-172.17.39.255:0
ike 6:Azure_VPN:12436319:25869722: no matching phase2 found
ike 6:Azure_VPN:12436319:25869722: failed to get responder proposal

Any thoughts on how to get this connection made?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,803 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator
    2023-05-29T05:14:10.9166667+00:00

    @Ty

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you are in the middle of setting up Any-to-Any traffic selectors in your Azure S2S VPN Connection.

    I suggested we enable Gateway using diagnostic logs for VPN Gateway

    Especially,

    • TunnelDiagnosticLog
    • IKEDiagnosticLog

    Looking at your logs, it looked like a TrafficSelectorMismatch issue.

    I recommended that the below steps could help to mitigate the issue

    Later, you had a troubleshooting session with VPN Device vendor and they were able to resolve this issue

    Please let us know if we can be of any further assistance here, and I shall be glad to assist as always :)

    Thanks,

    Kapil


    Kindly Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.