I have a site to site VPN between an on-prem FortiGate 500E and a vFortiGate in Azure.
Due to the distance between the FortiGates geographically, I’m trying out Forward Error Correction (FEC) ingress and egress on both FortiGates to see if it can improve on lost UDP traffic (main issue, missing RADIUS packages).
To use FEC on VPN, Fortinets dokumentation note that NPU acceleration has to be disabled on the Phase1.
This has been done on the FGT500E as it can use NPU. The vFGT in Azure does not.
I’m seeing ESP errors in my VPN event log.
As FEC re-transmit some packeges, this makes sence to me, as an ESP packet with a sequence number could be re-transmitted.
Ofcause, I could deaktivere anti-replay on phase2 and the events would go away.
The official documentation that I have looket at, at docs.fortinet.com does not say anything about that ESP errors is a side-effect of enabling the feature.
I guess my question is, am I missing something? I find it a bit odd that I would have to disable a Security feature to be able to make use of a reliability feature.
Various errors can occur with ESP (Encapsulating Security Payload), but among them, the most frequently encountered is "Invalid ESP Packet detected" If you encounter this particular error, it is highly probable that it is attributable to the following factors.
The encrypted packet becomes corrupted during the transmit from the remote gateway to local gateway.
The remote gateway used the wrong cookie/key to encrypt.
However these errors started after I enabled FEC. They did not appear before. Also based on the nature of FEC, that uses transmitted packages I makes sense why anti-replay would react on ESP packages with a sequence number that could have been received.
I was just not expected to see any errors, and I would expect FortiOS to somehow be able to "understand" that with FEC enabled, duplication of ESP packages may occur, hence "foresee" this and ignore this without me having to disabled anti-replay.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.