FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fwilliams
Staff
Staff
Article Id 227859
Description

This article provides guidelines for how to resolve the issue of receiving 'Invalid ESP packet detected (HMAC validation failed)' error messages in your logs.

Scope

FortiGate v6.4.

FortiGate v7.0.

FortiGate v7.2.

Solution

HMAC validation failure can occur at the kernel (software) or NPU level (hardware).

 

If this error appears, try the following:

 

1) Disable NPU offload under phase1 and firewall policy.

 

# config vpn ipsec phase1-interface

    edit "name"

        set npu-offload disable

end

 

# config firewall policy

    edit X

        set auto-asic-offload disable

end

 

2) HMAC checks offloaded to network processors by default, disable it to see if that helps.

 

# configure system global

    set ipsec-hmac-offload disable

end

 

3) Do 'packet fragmentation' before encapsulating it in ESP.

 

# config vpn ipsec phase1-interface

    edit "name"

        set ip-fragmentation pre-encapsulation

end

 

If HUB & SPOKE (HQ and Branch) is set up, where the spoke is the one initiating most of the traffic to the HUB, enabling 'fragmentation' only on spoke site might be enough.

 

Note:

See if making the change stated in '1' resolve the issue before going to 2, etc.

 

If the issue persists, open a ticket with Fortinet support.