VPN IPSEC Error Received ESP packet with unknown SPI.

You can try to run the following in CLI. # diagnose debug application ike -1 # diagnose debug enable That would give you a nice long output. When you had enough, disable it; # diagnose debug disable and have a look if you can find anything strage. # diagnose sniffer packet <ipsec interface> " udp and dst port 500" can display any communication issue between the initiator and responder. If you can keep it running until the next outage, that might report about some error that helps to troubleshoot the issue. In the meantime have a look at the other logs. If it randomly gets dropped, that might be the result of unreliable connectivity/interface issues not necessarily on the Fortigate (especially if it thinks that the VPN is up)

Thanks for your respond. Did try all those thing you said but still not find anything yet Any advise would be appreciated.

Have you match the p2 cfg on the PaloAlto and FGT ? and what version of panos are you running?

Hi emnoc, I have check p2 for both ends such as: keylife, encryption, Authentication. They are OK. Using IKE version 1 . i am sorry i but don' t understand what panos is Regards, Hoang

You might be getting these messages because either the idle timeouts on both sides differ, or the PA device does not recognize the keep-alive packets correctly, and so times out. Do you have " auto key" or " keepalive" active on the FGT? Phase1 or phase2?

I see that you use address names in the Quick Mode selectors. This might not be related but if building a VPN to a non-Fortigate gateway it is best to use plain IP addresses/subnets. If you are using Autokey keepalives on the FGT side it might be that the other device ignores these, and idles out. Anyway, I would not be worried too much as long as the tunnel is up when you need it.

PANOS = PalaAlto Network OS the software that runs the PA. A invalid SPIs are most likely in the phase2 so the IKE debug is not going to help; these are see when a new SPI switchover or one side expires a SA by byte-sent or seconds before the other from my experience Here' s what I would do; monitor the ipsec sa ( FGT ) diag vpn tunnel list name <the tunnel name > | grep spi On the PA500 monitor the counters for the tunnels and drops show vpn flow tunnel-id <ID>| match spi ( to get the current SPIs it should match the fgt in/out from the above commands ) show counter global filter severity drop show counter global filter severity drop aspect tunnel category flow ( look for the bad or wrong SPI counter ) Also you should monitor the keylife for the SAs ( in & out ) should be almost identical. I think on the PA you can set the timeout to seconds only and not the number of bytes, but I will have to check my PA200 for that.

Any thoughts about the QM selectors?

The tunnel is up but seem like the traffic can not pass through like, we have SIP trunk between both sides but when this errors come up, 2 PBX can not communicate with each other, i can not even ping the PBX at the other side

The diag debug flow would be my 1st step e.g diag debug reset diag debug flow filter addr <pbx host or phone> diag debug flow show console enable diag debug flow trace start 100 That would get you start in the right direction.

you may need to add the following at the end; # diagnose debug enable