Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

IPSec Phase1 Error

Hi all,

I'm facing a problem with tunnel IPSEC site-to-site. I receiving the log "INVALID-SPI" and after this Received ESP packet with unknown SPI. Does someone have any idea what it could be?


Best Regards


New Contributor

are you getting second message ? if its main mode ? phase-1 ?

I have a doubt, because the tunnel towards Remote Gateway is a Dialup user with setting on main mode.

Sorry, but I don't understood what do You mean with "are you getting third message".


Thanks in advance


sorry I wanted to mention second message take packet capture and see how many messages you are getting. main mode have 6 message for phase 1 for aggressive mode its 4 message if you are not getting second message then there is some mismatch in parameters

Per se, these messages do not suggest that you have a problem. It's just that your FGT is listening for IPsec (AH, ESP) and incoming traffic is not related to any VPN you have created/used.

Unless I'm totally off, and you can clarify the situation you have.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!


I solved the problem with a simply reboot of the Appliance.

Thanks a lot.

BRs Danilo


I'd suggest looking into debug log on cli:


 diag debug ena

 diag debug application ike -1


(diag debug application ike 0 disables it again)


while this runs try to establish the vpn.

It is ofthe neccessary to log at logs on both ends to find the problem.



"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
New Contributor

From Wikipedia;

"The Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic. This tag helps the kernel discern between two traffic streams where different encryption rules and algorithms may be in use."


So it looks like either;

1. the tunnel was setup but it has expired on your end, or

2. its a stray packet for something else


If #1, then check that the timer and data volume rekeying parameters are the same on both ends of the tunnel

If #2, do the endpoint IPs match?


My first guess would be that you have a shorter timer on your IPSec SAs than the remote end has, but usually tunnels fail to setup when parameters dont match. I have no experience with Forti IPSec...


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors