Hi Brandy, Interesting i thought it was fixed but still go on and on again. Could you please tell me more on this? in my country, it is not easy to tell ISP that there is something wrong with their device or something like that. PLease kindly share your experience, the way you handle ISP as well Regards Hoang

I do not have access to PA500 and all the output which was posted here and that is all i got so far..

You can' t fix a vpn with wrong and/or invalid SPIs & from a one-side approach. You need to get access or some one on the PaloAlto side of the vpn, to give you the diagnostic outputs that was asked earlier. I bet your SA time-out values are not matching and one side is tearing down the SA and the other is expecting it' s up. But until you review the SA timeouts for both appliances and compare the values as Seconds|Bytes, your flat guessing in the dark. fwiw; a speed duplex issues , does not craft a wrong SPI value.

Hi Emmoc, I have reviewed SA time-out at both side, phase 1 is 28800 sec on Fortinet which is 8 hours on PA and phase 2 3600 sec on Fortinet which is 1 hour on PA. Seems all values are matching. If i am using Nat-T on Fortinet then the errors rarely happen like 2 errors messages in 2 days but still randomly? Does it mean my ISP is using NAT and this is the main reason for that error messages? Looking forward to your reply

Speed Duplex issues don' t craft a wrong SPI value but dropped packets due to incorrect speed issues can cause all types of issues. I actually didn' t tell my ISP that they had it wrong, just that we were getting ESP errors on port 500 and 4500. They tracked down the packet loss and we reviewed what the port settings needed to be for the physical connection to the ISP' s equipment. Correcting this settings made the packet loss go away and the errors as well. Brady

Maybe, but you can monitor the diag vpn ike gateway output from the cli. If any remote-gateway is using a port that' s 4500/udp for the destination, than NAT-T is involved. If your using rfc1918 address for the tunnel end-points, than NAT-T is an issue. e.g diag sniffer packet wan1 " udp and port 4500" I personally think IKEv2 would be beneficial here for NAT-T concerns. It' s natively supports NAT transversals and is support by almost all major firewalls and FGT has supported this since as early as 3.0 FortiOS iirc., BUT PANOS still has no support for it , but I believe they have a roadmap to include support in TBD or near future. ( just food for thought ) Without the earlier diagnostics from the PA side, as mention earlier. show counter global filter severity drop aspect tunnel category flo You are battling & swimming upstream. If the problem is only cosmetic at this point and not effecting your traffic, I would just ignore unless you see major drops with enc/dec traffic from the actual tunnel. You can compare byte sent & received ( both-ways ) to get an ideal of any loss. But like I said before, the wrong SPIs has 0% of chance of being effected by IKEv1.

Dear all, there is anyway to put-in local SPI and remote SPI to current VPN IPsec tunnel in OS 5.2

Im using OS 5.2. now i think the SPI is not matching at both end at that time. Is there anyway to put SPI in current auto key tunnel? Thanks

Im using OS 5.2. now i think the SPI is not matching at both end at that time. Is there anyway to put SPI in current auto key tunnel?

Are you sure or just guessing ? Did you do any of the other suggest tsuff since you have another firewall that' s 1>not a Fortigate 2> what SA parameters are ????s 3> what diagnostic collection efforts where used seems to be none from the PA side. FWIW: You can' t trouble-shoot and correct a VPN SPI errors single sided. You need to work with the FGT and PA. And to answer the question without being to short, no you can' t just put the SPI into the auto-key. It' s negotiated between both parties. This is why you need to work with the PA firewall engineer. If the problem is purely cosmetic only, and traffic flows ad works, I would ignore it. But if you want really to fix it, you need to collect diagnostics from both sides and fix the values. It might even be a PANOS or FORTIOS ( unlikely but who knows ) issue and a simple upgrade will fix the issue. But the 1st step is to get both sides diagnostics and then follow the trail of evidence. just my 2cts.