Troubleshooting Tip: IPsec VPN traffic is dropped after upgrading to v7.4.3

IPsec VPN traffic is dropped due to the following error.

FGT-LAB #
id=65308 trace_id=10 func=print_pkt_detail line=5873 msg="vd-root:0 received a packet(proto=1, 10.0.1.10:33->172.18.1.10:2048) tun_id=10.0.0.1 from VPN-1. type=8, code=0, id=33, seq=31."
id=65308 trace_id=10 func=ipsec_spoofed4 line=245 msg="src ip 10.0.1.10 mismatch selector 0 range 10.0.1.1-10.0.1.254" <----- FortiGate drops the packet due to a mismatch in the phase2, besides the packet included.
id=65308 trace_id=10 func=ipsec_input4 line=289 msg="anti-spoof check failed, drop"

Configuration phase 2 is correct.

    edit "PHASE-2"
        set type iprangev
        set comment "VPN-1"
        set start-ip 10.0.1.1 <-----
        set end-ip 10.0.1.254 <-----
end

1. The workaround for this issue is to set up the phase 2 configuration as follows, by expanding the phase 2 selectors:

    edit "PHASE-2"
        set type iprange
        set comment "VPN-1"
        set start-ip 10.0.0.0 <-----
        set end-ip 10.0.0.0 <-----
end

2. Or specify the phase 2 by default 0.0.0.0/0 and configure the Source and Destination Subnet on the proper Firewall policy.

3. In certain scenarios, there may be several configured traffic selectors, and when there are identical source addresses with different remote addresses specified in the proxy IDs of the IPsec VPN, it may be beneficial to merge them into a smaller subnet mask value.

Note:

This issue can be encountered with bug 1012615, which has been fixed in v7.2.12, v7.4.8, v7.6.2, v7.6.3, see the Release Notes.

Open a ticket with the TAC team in the Fortinet support portal to request more information about this bug.