Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mbanica
Staff
Staff

Created on ‎10-31-2025 03:05 AM

Article Id 416933

Troubleshooting Tip: Replay detection errors when SD-WAN rule uses Lowest cost (SLA) with load balancing enabled

Description This article explains why replay detection errors appear in IPsec logs when an SD-WAN rule uses the Lowest cost (SLA) strategy with Load balancing enabled.
Scope

FortiGate with:

  • SD-WAN rule configured for Lowest cost (SLA).

  • Load balancing is enabled in the SD-WAN rule.

  • Multiple IPsec tunnels toward the same remote peer.

  • Replay detection is enabled in phase 2.
Solution

In this configuration, when multiple IPsec members meet the SLA target and have the same cost, Load balancing distributes sessions across all eligible tunnels.

 

 
Screenshot 2025-10-28 161202.png

Each tunnel maintains a separate Security Association (SA) with independent ESP sequence numbers. Replay detection is enabled by default under the phase2 configuration.


When packets of the same flow traverse more than one tunnel, the remote peer receives duplicate or out-of-order ESP sequence numbers and logs replay detection events such as:

 

date=2025-10-06 time=15:04:34 id=7558093854767841317 type="event" subtype="vpn" level="critical" action="error" msg="IPsec ESP error" logdesc="IPsec ESP" remip=1.1.1.1 locip=2.2.2.2 vpntunnel="HUB1" error_num="Invalid ESP packet detected (replayed packet)."

 

Resolution:

  • Keep the Lowest cost (SLA), but disable Load balancing in the SD-WAN rule for IPsec traffic.

  • Change the Interface Selection Strategy to Best Quality, then only 1 member will be selected.

 

Screenshot 2025-10-28 161251.png

  • Assign different cost values to each IPsec member (for example, 10 and 20). This ensures only one tunnel is active at a time, preventing duplicate SAs and replay detection.

 

config system sdwan
    config members
        edit 1
            set interface "HUB1"
            set cost 10
        next
            edit 2
                set interface "HUB2"
                set cost 20
            next
        end
    end

 

  • Replay detection must be disabled under Phase 2 when the Lowest Cost (SLA) rule is retained with Load Balancing enabled.

 

FGT (phase2-interface) # edit HUB1

FGT (HUB1) # show
name : HUB1
phase1name : HUB1
proposal :
replay : enable <----- Disable.
keepalive : disable
auto-negotiate : disable
inbound-dscp-copy : phase1
auto-discovery-sender: phase1
auto-discovery-forwarder: phase1
keylife-type : seconds
encapsulation : tunnel-mode
comments :
src-addr-type : subnet
dst-addr-type : subnet
keylifeseconds : 43200

 

Key point:
Load balancing with equal-cost IPsec members sends traffic over multiple tunnels simultaneously, which triggers replay detection on the remote peer.
Labels:
79
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.