Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
huyhoang8344
New Contributor

VPN IPSEC Error Received ESP packet with unknown SPI.

Hi Guys, I have 2 Tunnel IPSec VPN and both have same error, it happens randomly and when it happen seems like there is no traffic stream in the tunnel even the monitoring say that VPN is up. I have been looking a lot but no solution so far. any suggestion would be great Im using Fortigate 100D at my Site, the client site is PA 500
37 REPLIES 37
Istvan_Takacs_FTNT

You can try to run the following in CLI. # diagnose debug application ike -1 # diagnose debug enable That would give you a nice long output. When you had enough, disable it; # diagnose debug disable and have a look if you can find anything strage. # diagnose sniffer packet <ipsec interface> " udp and dst port 500" can display any communication issue between the initiator and responder. If you can keep it running until the next outage, that might report about some error that helps to troubleshoot the issue. In the meantime have a look at the other logs. If it randomly gets dropped, that might be the result of unreliable connectivity/interface issues not necessarily on the Fortigate (especially if it thinks that the VPN is up)
huyhoang8344
New Contributor

Thanks for your respond. Did try all those thing you said but still not find anything yet Any advise would be appreciated.
emnoc
Esteemed Contributor III

Have you match the p2 cfg on the PaloAlto and FGT ? and what version of panos are you running?

PCNSE 

NSE 

StrongSwan  

huyhoang8344
New Contributor

Hi emnoc, I have check p2 for both ends such as: keylife, encryption, Authentication. They are OK. Using IKE version 1 . i am sorry i but don' t understand what panos is Regards, Hoang
ede_pfau
Esteemed Contributor III

You might be getting these messages because either the idle timeouts on both sides differ, or the PA device does not recognize the keep-alive packets correctly, and so times out. Do you have " auto key" or " keepalive" active on the FGT? Phase1 or phase2?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
huyhoang8344

i do have " keepalive" on FGT/ phase 2 i have checked and both sites have the same conf No idea what is going on here
ede_pfau
Esteemed Contributor III

I see that you use address names in the Quick Mode selectors. This might not be related but if building a VPN to a non-Fortigate gateway it is best to use plain IP addresses/subnets. If you are using Autokey keepalives on the FGT side it might be that the other device ignores these, and idles out. Anyway, I would not be worried too much as long as the tunnel is up when you need it.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
huyhoang8344

Thanks Ede The tunnel is up but seem like the traffic can not pass through like, we have SIP trunk between both sides but when this errors come up, 2 PBX can not communicate with each other, i can not even ping the PBX at the other side
emnoc
Esteemed Contributor III

PANOS = PalaAlto Network OS the software that runs the PA. A invalid SPIs are most likely in the phase2 so the IKE debug is not going to help; these are see when a new SPI switchover or one side expires a SA by byte-sent or seconds before the other from my experience Here' s what I would do; monitor the ipsec sa ( FGT ) diag vpn tunnel list name <the tunnel name > | grep spi On the PA500 monitor the counters for the tunnels and drops show vpn flow tunnel-id <ID>| match spi ( to get the current SPIs it should match the fgt in/out from the above commands ) show counter global filter severity drop show counter global filter severity drop aspect tunnel category flow ( look for the bad or wrong SPI counter ) Also you should monitor the keylife for the SAs ( in & out ) should be almost identical. I think on the PA you can set the timeout to seconds only and not the number of bytes, but I will have to check my PA200 for that.

PCNSE 

NSE 

StrongSwan