Description |
This article provides guidelines for how to resolve the issue of receiving 'Invalid ESP packet detected (HMAC validation failed)' error messages in your logs. |
Scope |
FortiGate v6.4. FortiGate v7.0. FortiGate v7.2. |
Solution |
HMAC validation failure can occur at the kernel (software) or NPU level (hardware).
If this error appears, try the following:
1) Disable NPU offload under phase1 and firewall policy.
# config vpn ipsec phase1-interface edit "name" set npu-offload disable end
# config firewall policy edit X set auto-asic-offload disable end
2) HMAC checks offloaded to network processors by default, disable it to see if that helps.
# configure system global set ipsec-hmac-offload disable end
3) Do 'packet fragmentation' before encapsulating it in ESP.
# config vpn ipsec phase1-interface edit "name" set ip-fragmentation pre-encapsulation end
If HUB & SPOKE (HQ and Branch) is set up, where the spoke is the one initiating most of the traffic to the HUB, enabling 'fragmentation' only on spoke site might be enough.
Note: See if making the change stated in '1' resolve the issue before going to 2, etc.
If the issue persists, open a ticket with Fortinet support. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.