Skip to main content
Wallerson
Staff
Wallerson
Staff
February 16, 2026

Troubleshooting Tip: How to fix 'mismatch selector error' followed by 'anti-spoof check failed, drop

  • February 16, 2026
  • 0 replies
  • 660 views
Description

This article describes a scenario where 'mismatch selector error' might occur. The static VPN IPsec tunnel is established between two FortiGates, the Phase2 selectors have the same addresses but configured in different way. On one side it is configured Subnet addresses with 6 selector entries while the other side has just one entry with a group address.
Scope FortiGate 7.2.
Solution

The Phase2 is configured on the Spoke side as shown below:

 

01.png

 

The Phase2 is configured on the Hub side as shown below:

 

02.png

 

This is the group address configuration:

 

config firewall addrgrp
    edit "VPN_Local"
        set uuid 28d4b82c-0819-51f1-be51-b41dc0dabc1f
        set member "10.250.10.32/29"
    next
    edit "VPN_Remote"
        set uuid 324f25ae-0819-51f1-978d-f0a602d29ed6
        set member "10.10.20.151/32" "10.10.30.32/32" "10.110.0.61/32"
    next
end

 

FortiOS is able to establish the tunnel in this scenario:

 

  • HUB:

 

B00_FG1-HUB # diagnose vpn tunnel list name SPOKE1_ISP1
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=SPOKE1_ISP1 ver=1 serial=1 200.52.10.1:0->200.52.10.17:0 tun_id=200.52.10.17 tun_id6=::200.52.10.17 dst_mtu=1500 dpd-link=on weight=1
bound_if=26 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=sync-primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=5 ilast=4 olast=4 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=94
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=P2 proto=0 sa=4 ref=5 serial=6
src: 0:10.250.10.32-10.250.10.39:0
dst: 0:10.10.20.151-10.10.20.151:0 0:10.10.30.32-10.10.30.32:0 0:10.110.0.61-10.110.0.61:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1438 expire=42179/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=240 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=829f5648 esp=aes key=16 131ca5463836b6f4dfdcead057342be8
ah=sha1 key=20 8281c54448d110ac78ab330860d5a50e764f1143
enc: spi=b637e1c1 esp=aes key=16 b836a917a6cd1e65aea3d7764a1a0c89
ah=sha1 key=20 92e8c773328df7331a97466b440a9492a223333d
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.52.10.17 npu_lgwy=200.52.10.1 npu_selid=8 dec_npuid=0 enc_npuid=0

 

  • SPOKE:

 

B02_FG-SPOKE1 # diagnose vpn tunnel list name SPOKE_ISP1
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=SPOKE_ISP1 ver=1 serial=3 200.52.10.17:0->200.52.10.1:0 nexthop=200.52.10.30 tun_id=200.52.10.11 tun_id6=::200.52.10.11 dst_mtu=1500 dpd-link=on weight=1
bound_if=3 real_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/568 options[0238]=npu create_dev frag-rfc role=primary accept_traffic=0 overlay_id=0

proxyid_num=6 child_num=0 refcnt=10 ilast=17 olast=17 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=11
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=1 proto=0 sa=1 ref=2 serial=8 adr
src: 0:10.10.30.32-10.10.30.32:0
dst: 0:10.250.10.37-10.250.10.37:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=41909/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42900/43200
dec: spi=b637e1c0 esp=aes key=16 b230e4c54bacc1eb2926774dc095954a
ah=sha1 key=20 b61574ba3ede9b83e1a21e2cfe1c9e90f269e560
enc: spi=829f5647 esp=aes key=16 159017f55a33a36b07acc867dbb64775
ah=sha1 key=20 f9103f0c8f76c6b637a575d6c1ed4e904332d028
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.52.10.1 npu_lgwy=200.52.10.17 npu_selid=12 dec_npuid=0 enc_npuid=0
proxyid=2 proto=0 sa=0 ref=1 serial=9 adr
src: 0:10.10.30.32-10.10.30.32:0
dst: 0:10.250.10.38-10.250.10.38:0
proxyid=3 proto=0 sa=1 ref=2 serial=10 adr
src: 0:10.10.20.151-10.10.20.151:0
dst: 0:10.250.10.37-10.250.10.37:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=41912/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=b637e1c1 esp=aes key=16 b836a917a6cd1e65aea3d7764a1a0c89
ah=sha1 key=20 92e8c773328df7331a97466b440a9492a223333d
enc: spi=829f5648 esp=aes key=16 131ca5463836b6f4dfdcead057342be8
ah=sha1 key=20 8281c54448d110ac78ab330860d5a50e764f1143
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.52.10.1 npu_lgwy=200.52.10.17 npu_selid=14 dec_npuid=0 enc_npuid=0
proxyid=4 proto=0 sa=1 ref=2 serial=11 adr
src: 0:10.10.20.151-10.10.20.151:0
dst: 0:10.250.10.38-10.250.10.38:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=41906/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42897/43200
dec: spi=b637e1be esp=aes key=16 765223a19e04a57e1d6b5af0f43571e6
ah=sha1 key=20 31a9fd9ecde0dd598bfd0a0d47881b967cdee69e
enc: spi=829f5645 esp=aes key=16 4fa309de130e6a1a6e6bc883e68b4222
ah=sha1 key=20 06c7a732fac993f142f8cd50c332e4d1bf2c059c
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.52.10.1 npu_lgwy=200.52.10.17 npu_selid=15 dec_npuid=0 enc_npuid=0
proxyid=5 proto=0 sa=1 ref=2 serial=12 adr
src: 0:10.110.0.61-10.110.0.61:0
dst: 0:10.250.10.37-10.250.10.37:0
SA: ref=3 options=32202 type=00 soft=0 mtu=1438 expire=41912/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42903/43200
dec: spi=b637e1bf esp=aes key=16 ed8669a57da74c7f78a4088ff8d2ba33
ah=sha1 key=20 ed67d41ccb6d24af4a6ba759233fd3f4c550e048
enc: spi=829f5646 esp=aes key=16 a2f9bd000e303cc9c022e62ce857f57b
ah=sha1 key=20 93858de036c1fb576a8f3b489d838470db9658ad
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=200.52.10.1 npu_lgwy=200.52.10.17 npu_selid=16 dec_npuid=0 enc_npuid=0
proxyid=6 proto=0 sa=0 ref=1 serial=13 adr
src: 0:10.110.0.61-10.110.0.61:0
dst: 0:10.250.10.38-10.250.10.38:0

 

However, an intermittent issue may occur where the communication is affected, the following error is seen in the debug flow:

 

B02_FG-SPOKE1 # id=65308 trace_id=5515 func=print_pkt_detail line=5872 msg="vd-root:0 received a packet(proto=6, 10.250.10.38:36738->10.10.30.32:
443) tun_id=200.52.10.17 from SPOKE1_ISP1. flag [S], seq 3067256981, ack 0, win 35844"
id=65308 trace_id=5515 func=ipsec_spoofed4 line=241 msg="src ip 10.250.10.38 mismatch selector 0 range 10.250.10.37-10.253.10.37"
id=65308 trace_id=5515 func=ipsec_input4 line=284 msg="anti-spoof check failed, drop"

 

Meaning of the above highlighted debug:

  • Inbound traffic arrived inside an IPsec packet (encapsulated).
  • FortiGate decrypted it successfully.
  • But the source IP of the inner packet does not match any of the allowed local selectors for the Phase 2 SA (SPI) that was used to send this packet -> FortiGate considers it spoofed or invalid -> drops it with anti-spoof check failed.

 

The fix is to configure the Spoke with a group address in the Phase2 HUB settings.

Even though FortiOS can work under the scenario demonstrated, it is best practice to ensure that the Phase 2 configurations on both sides are identical.
      Terms & ConditionsAccessibility statement