Technical Tip: How to resolve 'Invalid ESP packet detected (HMAC validation failed)' error messages
| Description | This article provides guidelines for how to resolve the issue of receiving 'Invalid ESP packet detected (HMAC validation failed)' error messages in your logs. |
| Scope | FortiGate v6.4, v7.0 and v7.2. |
| Solution | HMAC validation failure can occur at the kernel (software) or NPU level (hardware).
If this error appears, try the following: Disable NPU offload under phase1 and firewall policy.
config vpn ipsec phase1-interface edit "name" set npu-offload disable end
config firewall policy edit X set auto-asic-offload disable end
HMAC checks are offloaded to network processors by default; disable it to see if that helps.
configure system global set ipsec-hmac-offload disable end
Do 'packet fragmentation' before encapsulating it in ESP.
config vpn ipsec phase1-interface edit "name" set ip-fragmentation pre-encapsulation end
If HUB & SPOKE (HQ and Branch) is set up, where the spoke is the one initiating most of the traffic to the HUB, enabling 'fragmentation' only on the spoke site might be enough.
Note: See if making the change stated in '1' resolves the issue before going to 2, etc.
If the issue persists, open a ticket with Fortinet support.
Related article : Troubleshooting Tip: 'Invalid ESP packet detected (HMAC validation failed)' VPN error |