Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NF2023
New Contributor

Tunnel to cisco router keeps doing HMAC validation failed

We have serious problems with keeping our VPN Tunnels up to our cisco devices.

After some time we see following errors in the fortigate log: Invalid ESP packet detected (HMAC validation failed).

cisco log: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3547 spi=8905364E seqno=00033572

Only solution is restarting the tunnel.

Fortigate is running 7.0.12

We tried upgrading our Cisco 2911 router firmware to 15.5 und disabled fortigate npu offloading with no success.

Attached you finde the Fortigate Tunnel config:

config vpn ipsec phase1-interface
edit Tunnel1
set interface "VLAN-XXX"
set local-gw xx.xx.xx.xx
set keylife 28800
set peertype any
set net-device disable
set exchange-interface-ip enable
set proposal aes256-sha256
set npu-offload disable
set dhgrp 21
set nattraversal disable
set remote-gw xx.xx.xx.xx

config vpn ipsec phase2-interface
edit "Tunnel1"
set phase1name "Tunnel1"
set proposal aes256-sha256
set dhgrp 21
set auto-negotiate enable
set keylifeseconds 3600

 

an the cisco configuration:

crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 21
lifetime 28800
crypto isakmp key xxx address xx.xx.xx.xx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set Tunnel-IPSEC esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile Tunnel-IPSEC
set transform-set Tunnel-IPSEC
set pfs group21

2 REPLIES 2
abarushka
Staff
Staff

Hello,

 

Similar issue is described in the kb below:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Invalid-ESP-packet-detected-HMAC-val...

 

You may consider to try to apply steps 5 - 7 and check whether the issue persists.

FortiGate
Top Kudoed Authors