Technical Note: Replay packet will be detected on a remote site after HA failover occurs
Description
Under site-to-site (gateway-to-gateway) IPSec VPN (IKE v1) environment, if Replay Detection is disabled on an HA system and is disabled on a remote site, a replay packet will be detected on the remote site after a device failover occurred on the HA system.
If a VPN gateway at remote site is a FortiGate, a log like the one shown below will be seen:
If a VPN gateway at remote site is a FortiGate, a log like the one shown below will be seen:
date=2015-12-10 time=10:01:23 logid=0101037132 type=event subtype=vpn level=critical vd="root" msg="IPsec ESP" action=error remip=192.168.219.221 locip=192.168.219.226 remport=0 locport=500 outintf="wan1" cookies="04feffb2bb661941/6a535a292216d95c" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="fgt600c_p1" status=esp_error error_num="Invalid ESP packet detected (replayed packet)." spi="3bcb61c6" seq="0000022e"
Scope
FortiOS version 5.0, 5.2
Solution
Replay Detection works for not only inbound direction but also outbound direction. So, Replay Detection setting must be the same on the both local and remote sites.