Created on
11-20-2022
06:48 AM
Edited on
09-08-2025
11:05 PM
By
Jean-Philippe_P
Description |
This article describes how to understand and troubleshoot 'HMAC validation failed' error. |
Scope | FortiGate v6.4, v7.0 and v7.2. |
Solution |
The Error:
Invalid ESP packet detected (HMAC validation failed).
Reason: The reason for this error on FortiGate is that the MAC calculated by FortiGate does not match the one inside the ESP packet received from the VPN peer.
The cause of this error can reside in 2 places:
In case it resides in the kernel, it will be visible in:
Similar messages will be visible in the log:
status=esp_error error_num=Invalid ESP packet detected (HMAC validation failed). spi=fe2b6574 seq=0000ba0d
Similar messages will be visible in IKE debug:
ike 1:My_VPN: invalid ESP 1 (HMAC) SPI fe2c9989 seq 0000c10f 9 x.x.x.x->y.y.y.y
Use 'diagnose netlink interface list My_VPN' on the IPSec interface (phase 1), repeat the command a couple of times, and the rxe counter will increase.
diagnose netlink interface list My_VPN if=My_VPN family=00 type=768 index=15 mtu=1500 link=0 master=0 ref=15 state=off start fw_flags=0 flags=up p2p run noarp multicast Qdisc=noqueue stat: rxp=0 txp=0 rxb=0 txb=0 rxe=125 txe=0 rxd=0 txd=0 mc=0 collision=0
It can reside in hardware (NPU): In this case, the error will not be visible in the first 3 places mentioned (Event log, IKE debug, and rxe counter). It is only possible to see the error in the NPU DCE counter (non-zero sub-engine drop count).
To check NPU DCE counter, use:
diagnose npu np7lite dce-drop-all 0 <----- np7lite platform (as NP7lite platforms have only one NP, omit the 0). diagnose npu np7 dce-drop-all 0/1 <----- np7 platform (only type in NP ID 0 or 1, but use 0/1).
Note: Use the commands below to display only the queue/s with drops on NP7/NP7lite, instead of printing all the queues.
diagnose npu np7lite dce-drop-all 0 brief diagnose npu np7lite dce-drop-all 0 b diagnose npu np7lite dce-drop-all 0 0 diagnose npu np7 dce-drop-all 0 brief diagnose npu np7 dce-drop-all 0 b diagnose npu np7 dce-drop-all 0 0
Possible causes:
Fixes:
Confirm the Algorithm that supports acceleration in accordance with the NP model: Encryption algorithms.
Check with:
diagnose npu np6 port-list | grep <port_name> diagnose npu np6xlite port-list | grep <port_name>
Note: Disabling ipsec-inbound-cache does not affect the performance of other traffic terminated by the FortiGate or traffic passing through it. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.