Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bob_Shaw
New Contributor

site to site VPN esp error

I'm having some problems with a site to site vpn connection to our external data center. The errors are occurring randomly and only get resolved after bringing down the tunnel. The error number says "Invalid ESP packet detected (replayed packet).". The data center uses a Juniper device.

 

Trying to find out what can cause these errors. so I know where to look. Anyone encounter this error before that can point me in the right direction? Did a search and havent found anything on these forums.

 

Im using a FGT80C w/ v5.0,build3608 (GA Patch 7).

7 REPLIES 7
rwpatterson
Valued Contributor III

In the phase 2 setting, uncheck the "Enable replay detection". You may need to do the same on the Juniper end.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Look at your  diag vpn tunnel list name <insert name> , do you see replay counters or window set?

 

i.e

 

replaywin=0

 

On the juniper assuming as SRX, you need to look at the ipsec show stats

 

e.g

show sec ipsec stats

 

replay could be an attack, bad network path(s), ECMP down wind,etc.......If you don't need replay protection, disable but be aware you don't have this protection.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Rewanta_FTNT
Staff
Staff

Hi, 

>Invalid ESP packet detected (replayed packet)." 

this indicates that FGT received the ESP packets with seq No which it already received on an existing IPSec SA.

however its possible to see same esp seq no once esp seq 32 bits been  utilized and start again from 1. this is possible when ipsec sa  life is too long and huge volume of traffic. 

 

you can verify this capturing the esp/udp4500(in case of nat-t) packets and checking them using wireshark and find the filed sequence no on esp hdr. of course wireshark will report this error with duplicate seq anywhere on pcap. 

#diag sniffer packet any 'host <local-gw-ip> and host <remote-gw-ip>' 6 0 a

 

you can also decrypt the esp pkts  and check IPID the inner ip hdr of the esp payload are different so that replayed packets are totally different. 

You can follow the below KB for esp decryption purpose.

 

http://kb.fortinet.com/kb...ateId=0%200%2067772648

 

hope this helps.

 

Rewanta

 

 

 

 

Armando_Gomez_Barrio

Good day,

 

someone found how to solve the problem?

 

best regarts,

 

Armando.

Armando Gómez
Armando Gómez
Paul_S

any updates?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
pdbest_khatri

Disable Replay Detection in Phase 2 settings of IPsec VPN.

emnoc
Esteemed Contributor III

correct , disable that and  you should not  get any warning  or errors

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors