Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- VPN IPSEC Error Received ESP packet with unknown ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN IPSEC Error Received ESP packet with unknown SPI.
Hi Guys,
I have 2 Tunnel IPSec VPN and both have same error, it happens randomly and when it happen seems like there is no traffic stream in the tunnel even the monitoring say that VPN is up.
I have been looking a lot but no solution so far. any suggestion would be great
Im using Fortigate 100D at my Site, the client site is PA 500
37 REPLIES 37
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same issue and it all was an issue with my ISP. The ISP saw about 11 packets drop out off 1000 it sent. My WAN connection was set to auto and needed to be set to 100 MB Full Duplex. It was defaulting to 100 Half Duplex. After making the change the issue went from all the time every day to maybe 2 messages a month.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Brandy,
Interesting
i thought it was fixed but still go on and on again.
Could you please tell me more on this? in my country, it is not easy to tell ISP that there is something wrong with their device or something like that.
PLease kindly share your experience, the way you handle ISP as well
Regards
Hoang
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not have access to PA500 and all the output which was posted here and that is all i got so far..You can' t fix a vpn with wrong and/or invalid SPIs & from a one-side approach. You need to get access or some one on the PaloAlto side of the vpn, to give you the diagnostic outputs that was asked earlier. I bet your SA time-out values are not matching and one side is tearing down the SA and the other is expecting it' s up. But until you review the SA timeouts for both appliances and compare the values as Seconds|Bytes, your flat guessing in the dark. fwiw; a speed duplex issues , does not craft a wrong SPI value.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Emmoc,
I have reviewed SA time-out at both side, phase 1 is 28800 sec on Fortinet which is 8 hours on PA and phase 2 3600 sec on Fortinet which is 1 hour on PA. Seems all values are matching.
If i am using Nat-T on Fortinet then the errors rarely happen like 2 errors messages in 2 days but still randomly? Does it mean my ISP is using NAT and this is the main reason for that error messages?
Looking forward to your reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Speed Duplex issues don' t craft a wrong SPI value but dropped packets due to incorrect speed issues can cause all types of issues.
I actually didn' t tell my ISP that they had it wrong, just that we were getting ESP errors on port 500 and 4500. They tracked down the packet loss and we reviewed what the port settings needed to be for the physical connection to the ISP' s equipment. Correcting this settings made the packet loss go away and the errors as well.
Brady
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe, but you can monitor the diag vpn ike gateway output from the cli. If any remote-gateway is using a port that' s 4500/udp for the destination, than NAT-T is involved. If your using rfc1918 address for the tunnel end-points, than NAT-T is an issue.
e.g
diag sniffer packet wan1 " udp and port 4500"
I personally think IKEv2 would be beneficial here for NAT-T concerns. It' s natively supports NAT transversals and is support by almost all major firewalls and FGT has supported this since as early as 3.0 FortiOS iirc., BUT PANOS still has no support for it , but I believe they have a roadmap to include support in TBD or near future. ( just food for thought )
Without the earlier diagnostics from the PA side, as mention earlier.
show counter global filter severity drop aspect tunnel category flo
You are battling & swimming upstream.
If the problem is only cosmetic at this point and not effecting your traffic, I would just ignore unless you see major drops with enc/dec traffic from the actual tunnel. You can compare byte sent & received ( both-ways ) to get an ideal of any loss.
But like I said before, the wrong SPIs has 0% of chance of being effected by IKEv1.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
there is anyway to put-in local SPI and remote SPI to current VPN IPsec tunnel in OS 5.2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im using OS 5.2. now i think the SPI is not matching at both end at that time.
Is there anyway to put SPI in current auto key tunnel?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im using OS 5.2. now i think the SPI is not matching at both end at that time. Is there anyway to put SPI in current auto key tunnel?Are you sure or just guessing ? Did you do any of the other suggest tsuff since you have another firewall that' s 1>not a Fortigate 2> what SA parameters are ????s 3> what diagnostic collection efforts where used seems to be none from the PA side. FWIW: You can' t trouble-shoot and correct a VPN SPI errors single sided. You need to work with the FGT and PA. And to answer the question without being to short, no you can' t just put the SPI into the auto-key. It' s negotiated between both parties. This is why you need to work with the PA firewall engineer. If the problem is purely cosmetic only, and traffic flows ad works, I would ignore it. But if you want really to fix it, you need to collect diagnostics from both sides and fix the values. It might even be a PANOS or FORTIOS ( unlikely but who knows ) issue and a simple upgrade will fix the issue. But the 1st step is to get both sides diagnostics and then follow the trail of evidence. just my 2cts.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I once had the same issue with 2 Fortigates with policy vpns and we had to reboot the Firewalls to have the tunnel working again. After the third time the problem showed up, we deleted the policy vpns and created a route-based tunnel, that solved the problem. I don' t remember the version of FortiOS on the Firewalls but it seems to be a bug, i don' t know if it is a " Known Issue" by Fortinet.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,791 -
FortiClient
1,786 -
5.2
801 -
FortiManager
742 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
216 -
FortiWeb
210 -
5.0
196 -
FortiNAC
194 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
109 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
31 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1113 | |
| 759 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.