Troubleshooting Tip: IPsec VPN tunnel phase 2 instability on the NP6xlite platform

tonylin1 · ‎08-14-2024

Description

This article describes an issue with IPsec VPN Tunnel Phase 2 instability on the NP6xlite platform.

Scope

FortiGate.

Solution

Firmware:

Firmware version with impact.
- v7.0.13 to v7.0.15.
- v7.2.8.
- v7.4.2 to v7.4.3.

Firmware version with fix.
- v7.0.16.
- v7.2.9.
- v7.4.4.

Troubleshooting:

Perform np6xlite debugging:

diagnose npu np6xlite dce

DROP_IPSEC0_ENGINB0:0000000000000683[80] DROP_IPSEC0_ENGINB1:0000000000000002[81]

IKE debugging (shown invalid ESP 4 (replay) SPI from the tunnel):

diagnose vpn ike log filter name "XXXX"
diagnose debug application ike -1
diagnose debug enable

ike V=root:0:XXXX: invalid ESP 4 (replay) SPI 3fe65c76 seq 00000000:00a02e94 7 Y.Y.Y.Y->Z.Z.Z.Z:0
ike V=root:0:XXXX: invalid ESP 4 (replay) SPI 3fe65c76 seq 00000000:00a02eac 7 Y.Y.Y.Y->Z.Z.Z.Z:0
ike V=root:0:XXXX: invalid ESP 4 (replay) SPI 3fe65c76 seq 00000000:00a02eca 7 Y.Y.Y.Y->Z.Z.Z.Z:0
ike V=root:0:XXXX: invalid ESP 4 (replay) SPI 3fe65c76 seq 00000000:00a02ede 7 Y.Y.Y.Y->Z.Z.Z.Z:0

Workaround:

Execute 'set replay disable' on the phase2-interface on both sides of the IPsec VPN. The admin should use this as a workaround only; where Replay detection allows the FortiGate to check all IPsec packets to see if they have been received before. If any encrypted packets arrive out of order, the FortiGate discards them.

config vpn ipsec phase2-interface

edit "XXXX"

set replay disable

end

diagnose vpn ike gateway filter name "XXXX"

diagnose vpn ike gateway flush

Troubleshooting Tip: IPsec VPN tunnel phase 2 instability on the NP6xlite platform

You are leaving our website