Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jompsi
New Contributor

IPSec dpd_failure and esp_error

Hello

 

We have a FortiGate 60D. Now I see that in the log are often these two errors:

- IPSec DPD failure(dpd_failure )

- IPSec ESP(esp_error) - Recieved ESP packet with unkown SPI

 

With our FG are 5 IPSec sites connected, but the traffic between our Router and the 5 tunnels is minimal(per tunnel about 8 MB a day). These two errors appear only with the same 2 IPSec tunnels. What I read about the errors, is that they can occur with slow bandwidth. For one of the two problem tunnels that could be the explanation, because the router is over GPRS connected to the internet, but the other tunnel has a VDSL connection, which shouldnt be that slow.

 

Honestly I dont fully understand these error messages and I dont know what I can do to resolv them. Or otherwise if they cant be resolved I dont understand them enough to say "Oh, thats no problem, these error are there but they make no trouble".

 

I would be really happy/thankfull, if someone could help me, understand these errors better.

 

Kind regards

Joel

2 REPLIES 2
Armando_Gomez_Barrio
New Contributor III

Hi,   Managed to solve the problem of "ipsec dpd failure"   I have the some problem   Kind Regards,

Armando Gómez
Armando Gómez
emnoc
Esteemed Contributor III

 

For item#1,  DPD  might not be supported  or enable on the far-end ipsec-peer

 

For item#2,  are the IPSEC-SA lifetime values set the same?

 

How often are SPI errors coming in ? Do you have IPSEC-tunnel stabiltity issues or lack of reach ?

 

Both of these log message are not critical event but ensure both ipsec-peers values are  the same  enabling DPD only  devices that are DPD supported and enable would reduce these messages.

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors