Description |
This article describes how to understand and troubleshoot 'HMAC validation failed' error. |
Scope | FortiGate v6.4, v7.0 and v7.2. |
Solution |
The Error:
Invalid ESP packet detected (HMAC validation failed).
Reason: The reason of this error on FortiGate is that the MAC calculated by FortiGate does not match the one inside the ESP packet received from the VPN peer.
The cause of this error can reside in 2 places:
In case it resides in the kernel, it will be visible in:
Similar messages will be visible in the log:
status=esp_error error_num=Invalid ESP packet detected (HMAC validation failed). spi=fe2b6574 seq=0000ba0d
Similar messages will be visible in IKE debug:
ike 1:My_VPN: invalid ESP 1 (HMAC) SPI fe2c9989 seq 0000c10f 9 x.x.x.x->y.y.y.y
Use ' diag netlink interface list My_VPN' on the IPSec interface (phase 1), repeat the command a couple of times, and the rxe counter will increase.
diag netlink interface list My_VPN if=My_VPN family=00 type=768 index=15 mtu=1500 link=0 master=0 ref=15 state=off start fw_flags=0 flags=up p2p run noarp multicast Qdisc=noqueue stat: rxp=0 txp=0 rxb=0 txb=0 rxe=125 txe=0 rxd=0 txd=0 mc=0 collision=0
It can reside in hardware (NPU): In this case, the error will not be visible in the first 3 places mentioned (Event log, IKE debug, and rxe counter). It is only possible to see the error in the NPU DCE counter (non-zero sub-engine drop count).
To check NPU DCE counter, use:
diag npu np7lite dce-drop-all 0 <-----np7lite platform (as NP7lite platforms have only one NP, omit the 0). diag npu np7 dce-drop-all 0/1 <----- np7 platform (only type in NP ID 0 or 1, but use 0/1).
Note: Use the below commands to display only the queue/s with drops on NP7/NP7lite, instead of printing all the queues.
diag npu np7lite dce-drop-all 0 brief diag npu np7lite dce-drop-all 0 b diag npu np7lite dce-drop-all 0 0
diag npu np7 dce-drop-all 0 brief diag npu np7 dce-drop-all 0 b diag npu np7 dce-drop-all 0 0
Possible causes:
Fixes:
Confirm the Algorithm that support acceleration in accord of NP model: Encryption algorithms
Check with:
diag npu np6 port-list | grep <port_name> diag npu np6xlite port-list | grep <port_name>
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.