Description

This article describes how to understand and troubleshoot 'Invalid ESP packet detected (replayed packet)' error.

Scope

FortiOS.

Solution

The Error:
Invalid ESP packet detected (replayed packet).

Reason:
A sequence number that monotonically increases is assigned to each encrypted packet by IPsec to provide anti-replay protection against an attacker. The receiving IPsec endpoint keeps track of which packets it has already processed when it uses these numbers and a sliding window of acceptable sequence numbers.
When incoming IPsec traffic is received on FortiGate with sequence number already received, this packet is marked a duplicate and dropped.
When the IPsec SA life is too long or volume of traffic is high, its possible to see same ESP sequence number once ESP sequence number in 32 bits been utilized and start again from 1.

In order to verify duplicate sequence number  ESP packet capture can be performed. To decrypt the ESP packet refer :

Technical Tip: Decrypt ESP packets

Solution:
Option 1: disable anti-replay protection on VPN tunnel

config vpn ipsec phase2-interface

edit <phase2-name>

set replay <enable | disable>

end

For more information about anti-replay protection refer:

Technical Tip: Explaining IPSEC Anti-replay and preventing packet drops

Option 2: Reduce IPsec phase2 lifetime, for new SA creation 

For keylifeseconds :

config vpn ipsec phase2-interface

edit <phase2-name>

set keylifeseconds <time in seconds>

end

For keylifekbs :

config vpn ipsec phase2-interface

    edit <phase2-name>

        set keylife-type

        set keylifekbs <integer>

    end

Make sure the same settings are configured on both local and peer IPsec Gateway.