Skip to Content

Solved: How do I fix IPSec error: 22: Invalid argument?

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

Problem Description

This article describes how to troubleshoot IPSec error: 22: Invalid argument.

Scope

FortiGate

Solution

Step 1: IPSec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:

FG-A:
[IPSec_local]
IPSec_local_subnet_1: 10.251.0.0/20
IPSec_local_subnet_2: 10.251.0.0/24
[IPSec_remote]
IPSec_remote_subnet_1: 10.120.0.0/20

FG-B:
[IPSec_local]
IPSec_local_subnet_1: 10.120.0.0/20
[IPSec_remote]
IPSec_remote_subnet_1: 10.251.0.0/20
IPSec_remote_subnet_2: 10.251.0.0/24

Step 2: IPSec phase2 is not coming up with the respective configuration if the IPSec tunnel is brought up from FG-B.

Further, inspection is done by looking into IPSec debug log with the following command:

# diag vpn ike log-filter dst-addr4
# diag deb app ike -1
# diag deb en

Step 3: From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:

From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument.

It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory:

It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory.

Step 4: The tunnel can be established should the FG-A become the initiator:

FG-A:

The tunnel can be established should the FG-A become the initiator - FG-A.

FG-B:

The tunnel can be established should the FG-A become the initiator - FG-B.

Step 5: This happens due to the overlapping IP address subnet configured on FG-A.

Removing 10.251.0.0/24 from the address group on both FortiGate would prevent the IPSec tunnel issue regardless if FG-A or FG-B becomes the initiator.