|
The Error:
Invalid ESP packet detected (HMAC validation failed).
Reason:
The reason for this error on FortiGate is that the MAC calculated by FortiGate does not match the one inside the ESP packet received from the VPN peer.
The cause of this error can reside in 2 places:
- In the Kernel (software).
- In the Hardware (NPU).
In case it resides in the kernel, it will be visible in:
Similar messages will be visible in the log:
status=esp_error error_num=Invalid ESP packet detected (HMAC validation failed). spi=fe2b6574 seq=0000ba0d
Similar messages will be visible in IKE debug:
ike 1:My_VPN: invalid ESP 1 (HMAC) SPI fe2c9989 seq 0000c10f 9 x.x.x.x->y.y.y.y
- The RX error (rxe) counter:
Use 'diagnose netlink interface list My_VPN' on the IPSec interface (phase 1), repeat the command a couple of times, and the rxe counter will increase.
diagnose netlink interface list My_VPN
if=My_VPN family=00 type=768 index=15 mtu=1500 link=0 master=0
ref=15 state=off start fw_flags=0 flags=up p2p run noarp multicast
Qdisc=noqueue
stat: rxp=0 txp=0 rxb=0 txb=0 rxe=125 txe=0 rxd=0 txd=0 mc=0 collision=0
It can reside in hardware (NPU):
In this case, the error will not be visible in the first 3 places mentioned (Event log, IKE debug, and rxe counter). It is only possible to see the error in the NPU DCE counter (non-zero sub-engine drop count).
To check NPU DCE counter, use:
- For NP6, NP6XLite, and NP6Lite.
diagnose npu np6xlite dce 0 <----- np6xlite platform .
diagnose npu np6 dce 0/1 <----- np6 platform.
diagnose npu np6lite dce 0 <--- np6lite platform.
- For NP7 and NP7Lite.
diagnose npu np7lite dce-drop-all 0 <----- np7lite platform (as NP7lite platforms have only one NP, omit the 0).
diagnose npu np7 dce-drop-all 0/1 <----- np7 platform (only type in NP ID 0 or 1, but use 0/1).
Note:
Use the commands below to display only the queue/s with drops on NP7/NP7lite, instead of printing all the queues.
diagnose npu np7lite dce-drop-all 0 brief
diagnose npu np7lite dce-drop-all 0 b
diagnose npu np7lite dce-drop-all 0 0
diagnose npu np7 dce-drop-all 0 brief
diagnose npu np7 dce-drop-all 0 b
diagnose npu np7 dce-drop-all 0 0
Possible causes:
- This error can be caused by a misconfiguration on any of the peers (local FortiGate or remote FortiGate if both ends are FortiGates, or a third-party device if peering with 3rd party).
- It can be because the ESP packet was altered.
Wireshark can be used to check the HMAC of the ESP packet sent and received on the FortiGate.
- It can be an issue with the NPU offloading.
- It may be due to a calculation error during encryption on the sender or decryption on the receiver.
Fixes:
- Ensure that the proposal matches (on local and remote). If the tunnel failed to connect, disable the corresponding tunnel interface for at least 5 minutes in Network -> Interfaces, expand the WAN interface, then 'right-click' and disable the tunnel interface. Right-click again to enable the interface after 5 minutes.
- Ensure the IPsec SA Encrypt/Decrypt algorithm and HMAC are supported by the unit’s NPU.
Confirm the Algorithm that supports acceleration in accordance with the NP model: Encryption algorithms.
- Ensure the interface bound to IPSec phase 1 is on the NPU’s port list.
Check with:
diagnose npu np6 port-list | grep <port_name>
diagnose npu np6xlite port-list | grep <port_name>
-
Try to disable hardware offload under phase1:
config vpn ipsec phase1-interface
edit <p1_name>
set npu-offload disable
end
-
CPx offload can be disabled if needed:
config system global
set ipsec-hmac-offload disable
set ipsec-asic-offload disable
end
-
Disable anti-reply under phase 2:
config vpn ipsec phase2-interface
edit <p2_name>
set replay disable
end
-
Disable IPsec-inbound-cache:
config system npu
set ipsec-inbound-cache disable
end
Note:
Disabling ipsec-inbound-cache does not affect the performance of other traffic terminated by the FortiGate or traffic passing through it.
|
