Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN IPSEC Error Received ESP packet with unknown ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN IPSEC Error Received ESP packet with unknown SPI.
Hi Guys,
I have 2 Tunnel IPSec VPN and both have same error, it happens randomly and when it happen seems like there is no traffic stream in the tunnel even the monitoring say that VPN is up.
I have been looking a lot but no solution so far. any suggestion would be great
Im using Fortigate 100D at my Site, the client site is PA 500
37 REPLIES 37
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any thoughts about the QM selectors?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any thoughts about the QM selectors?seems like does not work. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tunnel is up but seem like the traffic can not pass through like, we have SIP trunk between both sides but when this errors come up, 2 PBX can not communicate with each other, i can not even ping the PBX at the other sideThe diag debug flow would be my 1st step e.g diag debug reset diag debug flow filter addr <pbx host or phone> diag debug flow show console enable diag debug flow trace start 100 That would get you start in the right direction.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The diag debug flow would be my 1st step e.g diag debug reset diag debug flow filter addr <pbx host or phone> diag debug flow show console enable diag debug flow trace start 100 That would get you start in the right direction.I got nothing from output. it just happens randomly, don' t know why and when it happens. Thank you
Any thoughts about the QM selectorsI have tried and let see it works or not. Thanks you in advance Regards, Hoang
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
id=13 trace_id=739 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=739 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=740 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.95.102.70:53->10.171.80.100:51451) from ppp1." id=13 trace_id=740 func=resolve_ip_tuple_fast line=4335 msg=" Find an existing session, id-0004e6a4, reply direction" id=13 trace_id=740 func=vf_ip4_route_input line=1603 msg=" find a route: gw-10.171.80.100 via Auto" id=13 trace_id=740 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=reply)" id=13 trace_id=740 func=insert_vlan_header line=53 msg=" insert vlan cos:0 id:9" id=13 trace_id=740 func=__if_queue_push_xmit line=364 msg=" send out via dev-port15, dst-mac-00:09:0f:b8:1b:40" id=13 trace_id=741 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:62305->10.95.102.70:53) from Wearnes." id=13 trace_id=741 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e6f8" id=13 trace_id=741 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=741 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=741 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=741 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=741 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=741 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=741 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=742 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:62851->10.95.102.70:53) from Wearnes." id=13 trace_id=742 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e6fe" id=13 trace_id=742 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=742 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=742 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=742 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=742 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=742 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=742 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1" id=13 trace_id=743 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.95.102.70:53->10.171.101.114:62305) from ppp1." id=13 trace_id=743 func=resolve_ip_tuple_fast line=4335 msg=" Find an existing session, id-0004e6f8, reply direction" id=13 trace_id=743 func=vf_ip4_route_input line=1603 msg=" find a route: gw-10.171.101.114 via Wearnes" id=13 trace_id=743 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=reply)" id=13 trace_id=743 func=insert_vlan_header line=53 msg=" insert vlan cos:0 id:9" id=13 trace_id=743 func=__if_queue_push_xmit line=364 msg=" send out via dev-port15, dst-mac-00:09:0f:b8:1b:40" id=13 trace_id=744 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:53123->10.95.102.70:53) from Wearnes." id=13 trace_id=744 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e703" id=13 trace_id=744 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=744 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=744 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=744 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=744 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=744 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=745 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=17, 10.171.101.114:55385->10.95.102.70:53) from Wearnes." id=13 trace_id=745 func=init_ip_session_common line=4430 msg=" allocate a new session-0004e704" id=13 trace_id=745 func=vf_ip4_route_input line=1603 msg=" find a route: gw-123.16.144.1 via ppp1" id=13 trace_id=745 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=8" id=13 trace_id=745 func=fw_forward_handler line=664 msg=" Allowed by Policy-25: encrypt" id=13 trace_id=745 func=__ip_session_run_tuple line=2558 msg=" run helper-dns-udp(dir=original)" id=13 trace_id=745 func=ipsec_tunnel_output4 line=818 msg=" enter IPsec tunnel-Tunel_1" id=13 trace_id=745 func=esp_output4 line=885 msg=" encrypting, and send to 203.120.202.66 with source 113.190.252.236" id=13 trace_id=744 func=ipsec_output_finish line=231 msg=" send to 123.16.144.1 via intf-ppp1"
id=13 trace_id=750 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=750 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=750 msg=" syned but no ack, drop" id=13 trace_id=751 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=751 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=751 msg=" syned but no ack, drop" id=13 trace_id=752 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=752 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=752 msg=" syned but no ack, drop" id=13 trace_id=753 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=753 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=753 msg=" syned but no ack, drop" id=13 trace_id=754 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=754 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=754 msg=" syned but no ack, drop" id=13 trace_id=755 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=755 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=755 msg=" syned but no ack, drop" id=13 trace_id=756 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=756 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=756 msg=" syned but no ack, drop" id=13 trace_id=757 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=757 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=757 msg=" syned but no ack, drop" id=13 trace_id=758 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=758 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=758 msg=" syned but no ack, drop" id=13 trace_id=759 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=759 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=759 msg=" syned but no ack, drop" id=13 trace_id=760 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=760 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=760 msg=" syned but no ack, drop" id=13 trace_id=761 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=761 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=761 msg=" syned but no ack, drop" id=13 trace_id=762 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=762 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=762 msg=" syned but no ack, drop" id=13 trace_id=763 msg=" vd-root received a packet(proto=6, 10.171.230.8:5060->10.98.230.8:5060) from vlan13." id=13 trace_id=763 msg=" Find an existing session, id-000040b1, original direction" id=13 trace_id=763 msg=" syned but no ack, drop"Here is the output, any suggest would be so great you guys. The VPN tunnel are still up but tracffic can not get through
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you may need to add the following at the end;
# diagnose debug enable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The second trace shows SIP traffic not completing. Is this traffic across the tunnel? Anyway, this could have many reasons. Mainly, the receiver does not respond, does not want to or is not able to because traffic is blocked. Hard to tell from here.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to agreed the SIP ( tcp ) is not being ACK.d Are you sure it' s tcp and not 5060/udp or 5061/udp as an alternative?
On the PA you can execute something similar to the diag debug flow;
debug dataplane packet-diag set filter match destination x.x.x.x>
debug dataplane packet-diag set filter match source < y.u.u.u>
debug dataplane packet-diag set filter on
debug dataplane packet-diag set log feature flow basic
debug dataplane packet-diag set log on
and then clear it when done;
debug dataplane packet-diag set log off
As you can see, it' s very fortinet and more juniper SRX like :)
On the SPI errors is this a policy-based vpn and encrypt action by ID25 ?
What if you built this as a route-based vpn would the SPI error still be present? If your only complaint is that of the invalid SPI, than I would not worry to much.
For the QM proxy-ids, they need to match what the PA500 has, Do you have access to the PA? Did you get any of the output that was suggested? and mainly the wrong SPI ?
Can you get the vpn tunnel statius via ?
show vpn ike-sa ( phase1 related goodies )
show vpn ipsec-sa ( phase2 related goodies )
Once again very SRX like.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have configured policy-based VPN and i have been searching around that route-based has the same issue and still not get fixed yet and the rule between 2 PBX is allowed for all Services and this traffic is across the tunnel so TCP or UDP should be OK
Both QM proxy-IDs are matched, that is why the tunnel is up and working fine until the errors came
I do not have access to PA500 and all the output which was posted here and that is all i got so far..
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First i want to thank emnoc and ede_pfau. based on your advices i have just fixed this issue apparently.
Second, i want to update a little bit how i fix it. As said i do not have access to PA 500 so i do not know what kind of VPN configuration that device have so i was using policy based VPN which is easier than route-based VPN and the problem happens on and on randomly. Now i have changed to route-based VPN then there is no errors messages anymore. Seems like PA500 is configured as route based VPN
Thanks all of you
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,791 -
FortiClient
1,786 -
5.2
801 -
FortiManager
742 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
216 -
FortiWeb
210 -
5.0
196 -
FortiNAC
194 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
109 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
31 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1113 | |
| 759 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.