- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPN IPSEC Error Received ESP packet with unknown ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN IPSEC Error Received ESP packet with unknown SPI.
Hi Guys,
I have 2 Tunnel IPSec VPN and both have same error, it happens randomly and when it happen seems like there is no traffic stream in the tunnel even the monitoring say that VPN is up.
I have been looking a lot but no solution so far. any suggestion would be great
Im using Fortigate 100D at my Site, the client site is PA 500
37 REPLIES 37
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any thoughts about the QM selectors?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any thoughts about the QM selectors?seems like does not work. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tunnel is up but seem like the traffic can not pass through like, we have SIP trunk between both sides but when this errors come up, 2 PBX can not communicate with each other, i can not even ping the PBX at the other sideThe diag debug flow would be my 1st step e.g diag debug reset diag debug flow filter addr <pbx host or phone> diag debug flow show console enable diag debug flow trace start 100 That would get you start in the right direction.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The diag debug flow would be my 1st step e.g diag debug reset diag debug flow filter addr <pbx host or phone> diag debug flow show console enable diag debug flow trace start 100 That would get you start in the right direction.I got nothing from output. it just happens randomly, don' t know why and when it happens. Thank you
Any thoughts about the QM selectorsI have tried and let see it works or not. Thanks you in advance Regards, Hoang
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
id=13 trace_id=739 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=739 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=740 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.95.102.70:53->10.171.80.100:51451) from ppp1." id=13 trace_id=740 func=resolve_ip_tuple_fast line=4335 msg=" Find an existing session, id-0004e6a4, reply direction" id=13 trace_id=740 func=vf_ip4_route_input line=1603 msg=" find a route: gw-10.171.80.100 via Auto" id=13 trace_id=740 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=reply)" id=13 trace_id=740 func=insert_vlan_header line=53 msg=" insert vlan cos:0 id:9" id=13 trace_id=740 func=__if_queue_push_xmit line=364 msg=" send out via dev-port15, dst-mac-00:09:0f:b8:1b:40" id=13 trace_id=741 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:62305->10.95.102.70:53) from Wearnes." id=13 trace_id=741 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e6f8" id=13 trace_id=741 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=741 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=741 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=741 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=741 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=741 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=741 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=742 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:62851->10.95.102.70:53) from Wearnes." id=13 trace_id=742 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e6fe" id=13 trace_id=742 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=742 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=742 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=742 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=742 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=742 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=742 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=743 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.95.102.70:53->10.171.101.114:62305) from ppp1." id=13 trace_id=743 func=resolve_ip_tuple_fast line=4335 msg=" Find an existing session, id-0004e6f8, reply direction" id=13 trace_id=743 func=vf_ip4_route_input line=1603 msg=" find a route: gw-10.171.101.114 via Wearnes" id=13 trace_id=743 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=reply)" id=13 trace_id=743 func=insert_vlan_header line=53 msg=" insert vlan cos:0 id:9" id=13 trace_id=743 func=__if_queue_push_xmit line=364 msg=" send out via dev-port15, dst-mac-00:09:0f:b8:1b:40" id=13 trace_id=744 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:53123->10.95.102.70:53) from Wearnes." id=13 trace_id=744 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e703" id=13 trace_id=744 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=744 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=744 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=744 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=744 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=744 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=745 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:55385->10.95.102.70:53) from Wearnes." id=13 trace_id=745 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e704" id=13 trace_id=745 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=745 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=745 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=745 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=745 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=745 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=744 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1"
id=13 trace_id=750 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=750 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=750 msg=" syned but no ack, drop" id=13 trace_id=751 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=751 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=751 msg=" syned but no ack, drop" id=13 trace_id=752 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=752 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=752 msg=" syned but no ack, drop" id=13 trace_id=753 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=753 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=753 msg=" syned but no ack, drop" id=13 trace_id=754 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=754 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=754 msg=" syned but no ack, drop" id=13 trace_id=755 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=755 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=755 msg=" syned but no ack, drop" id=13 trace_id=756 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=756 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=756 msg=" syned but no ack, drop" id=13 trace_id=757 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=757 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=757 msg=" syned but no ack, drop" id=13 trace_id=758 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=758 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=758 msg=" syned but no ack, drop" id=13 trace_id=759 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=759 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=759 msg=" syned but no ack, drop" id=13 trace_id=760 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=760 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=760 msg=" syned but no ack, drop" id=13 trace_id=761 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=761 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=761 msg=" syned but no ack, drop" id=13 trace_id=762 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=762 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=762 msg=" syned but no ack, drop" id=13 trace_id=763 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=763 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=763 msg=" syned but no ack, drop"Here is the output, any suggest would be so great you guys. The VPN tunnel are still up but tracffic can not get through
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you may need to add the following at the end;
# diagnose debug enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second trace shows SIP traffic not completing. Is this traffic across the tunnel? Anyway, this could have many reasons. Mainly, the receiver does not respond, does not want to or is not able to because traffic is blocked. Hard to tell from here.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to agreed the SIP ( tcp ) is not being ACK.d Are you sure it' s tcp and not 5060/udp or 5061/udp as an alternative?
On the PA you can execute something similar to the diag debug flow;
debug dataplane packet-diag set filter match destination x.x.x.x>
debug dataplane packet-diag set filter match source < y.u.u.u>
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
and then clear it when done;
debug dataplane packet-diag set log off
As you can see, it' s very fortinet and more juniper SRX like :)
On the SPI errors is this a policy-based vpn and encrypt action by ID25 ?
What if you built this as a route-based vpn would the SPI error still be present? If your only complaint is that of the invalid SPI, than I would not worry to much.
For the QM proxy-ids, they need to match what the PA500 has, Do you have access to the PA? Did you get any of the output that was suggested? and mainly the wrong SPI ?
Can you get the vpn tunnel statius via ?
show vpn ike-sa ( phase1 related goodies )
show vpn ipsec-sa ( phase2 related goodies )
Once again very SRX like.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured policy-based VPN and i have been searching around that route-based has the same issue and still not get fixed yet and the rule between 2 PBX is allowed for all Services and this traffic is across the tunnel so TCP or UDP should be OK
Both QM proxy-IDs are matched, that is why the tunnel is up and working fine until the errors came
I do not have access to PA500 and all the output which was posted here and that is all i got so far..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First i want to thank emnoc and ede_pfau. based on your advices i have just fixed this issue apparently.
Second, i want to update a little bit how i fix it. As said i do not have access to PA 500 so i do not know what kind of VPN configuration that device have so i was using policy based VPN which is easier than route-based VPN and the problem happens on and on randomly. Now i have changed to route-based VPN then there is no errors messages anymore. Seems like PA500 is configured as route based VPN
Thanks all of you
Related Posts
- Routing Issue on FortiGate 7.2.8 176 Views
- Cisco Multicast Ping ICMP reply not... 185 Views
- Trouble Receiving DHCP Packet Over S2S... 228 Views
- Issue on our FortClient EWS MSSQL$FCEMS 305 Views
- No internet connection on the machine... 496 Views
Labels
-
FortiGate
6,453 -
FortiClient
1,289 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
67 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.