FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 194867


In VPN IPSec environments the event log message "Invalid ESP packet detected" will only appear on the receiving end of the tunnel when the FortiGate receives an encrypted packet from the remote peer.  The packet will have failed to pass validation so it cannot be decrypted.
This could happen due to a number of factors, possible causes are:
  1. The encrypted packet becomes corrupted during the transmit from the remote gateway to local gateway.
  2. The remote gateway used the wrong cookie/key to encrypt.
  3. The local gateway calculated incorrectly.
If the user can pass traffic between local and remote private subnets through the tunnel, and just occasionally or periodically sees this error, then the most likely cause if #1.  If the performance and the application are not affected then the occasional error can simply be ignored.

If the user is not able to pass any traffic through the tunnel at all, then there will be a considerable number of error messages showing up continuously with consecutive sequence numbers.  In this case the likely causes are #2 or #3 and you should open a ticket with Fortinet Technical Support for more assistance.



Related Articles

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)