Site to site VPN with FEC ESP errors

JonasV · ‎09-01-2023

I have a site to site VPN between an on-prem FortiGate 500E and a vFortiGate in Azure.

Due to the distance between the FortiGates geographically, I’m trying out Forward Error Correction (FEC) ingress and egress on both FortiGates to see if it can improve on lost UDP traffic (main issue, missing RADIUS packages).

To use FEC on VPN, Fortinets dokumentation note that NPU acceleration has to be disabled on the Phase1.

This has been done on the FGT500E as it can use NPU. The vFGT in Azure does not.

I’m seeing ESP errors in my VPN event log.

As FEC re-transmit some packeges, this makes sence to me, as an ESP packet with a sequence number could be re-transmitted.

Ofcause, I could deaktivere anti-replay on phase2 and the events would go away.

The official documentation that I have looket at, at docs.fortinet.com does not say anything about that ESP errors is a side-effect of enabling the feature.

I guess my question is, am I missing something? I find it a bit odd that I would have to disable a Security feature to be able to make use of a reliability feature.

Kind regards

JonasV · ‎09-11-2023

Looks like Firmware upgrading the Azure vFortiGate from 6.4.9 => 7.0.12 has solved the issue with the ESP erros. At least I don't see them anymore after the upgrade.

Root cause remains unresolved on 6.4.9 though.

Kind regards

View solution in original post

hbac · ‎09-01-2023

Hi @JonasV,

Can you share the ESP error messages and phase2 configuration?

Regards,

JonasV · ‎09-03-2023

Sure @hbac

Kind regards

KumarV · ‎09-03-2023

Hi @JonasV

Various errors can occur with ESP (Encapsulating Security Payload), but among them, the most frequently encountered is "Invalid ESP Packet detected" If you encounter this particular error, it is highly probable that it is attributable to the following factors.

The encrypted packet becomes corrupted during the transmit from the remote gateway to local gateway.
The remote gateway used the wrong cookie/key to encrypt.
The local gateway calculated incorrectly.

You can check this link https://community.fortinet.com/t5/FortiGate/Explanation-of-the-Event-Log-error-quot-Invalid-ESP-pack...

Regards,

JonasV · ‎09-03-2023

@KumarV
Indeed, you are right.

However these errors started after I enabled FEC. They did not appear before.
Also based on the nature of FEC, that uses transmitted packages I makes sense why anti-replay would react on ESP packages with a sequence number that could have been received.

I was just not expected to see any errors, and I would expect FortiOS to somehow be able to "understand" that with FEC enabled, duplication of ESP packages may occur, hence "foresee" this and ignore this without me having to disabled anti-replay.

Kind regards

JonasV · ‎09-11-2023

Looks like Firmware upgrading the Azure vFortiGate from 6.4.9 => 7.0.12 has solved the issue with the ESP erros. At least I don't see them anymore after the upgrade.

Root cause remains unresolved on 6.4.9 though.

Kind regards

Site to site VPN with FEC ESP errors

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website