Palo Alto Networks Knowledgebase: IPSec Tunnel is Up but Packet is Getting Dropped with Wrong SPI Counter Increase

IPSec Tunnel is Up but Packet is Getting Dropped with Wrong SPI Counter Increase

6013
Created On 09/25/18 19:10 PM - Last Updated 09/25/18 23:10 PM
VPNs
Resolution

Issue

Phase 1 and Phase 2 are up for the IPSec tunnel, but packets are getting dropped somewhere. On the global counter output, any one of the following entries are incrementing at the same time:

  • flow_tunnel_decap_err
  • flow_tunnel_ipsec_wrong_spi
  • flow_tunnel_natt_nomatch

From the peer end, outbound traffic is working normally.

The following CLI outputs show an example of the global counters with this issue:

  • > show counter global filter severity drop aspect tunnel category flow
    flow_tunnel_encap_err            38      0 drop    flow   tunnel   Packet dropped: tunnel encapsulation error
    flow_tunnel_decap_err        705072      2 drop    flow   tunnel   Packet dropped: tunnel decapsulation error
    flow_tunnel_encap_nested         38      0 drop    flow   tunnel   Packet dropped: nested tunnel decapsulation
    flow_tunnel_ipsec_wrong_spi  705074      2 drop    flow   tunnel   Packet dropped: IPsec SA for spi in packet not found

  • > show counter global filter severity drop aspect tunnel category flow
    flow_tunnel_natt_nomatch         11      0 drop    flow   tunnel   Packet dropped: IPSec NATT packet without session SPI match

Details

In the ESP header, the sequence field is used to protect communication from a replay attack. If a packet arrives at the firewall and the difference of the sequence number with the previous packets is larger than the replay window size, then it will be considered as an attack and dropped by the firewall. This can happen when the connection is not stable or the packet does not arrive in order.

Resolution

Go to Network > IPSec Tunnels > General tab and disable 'replay protection' to resolve the issue. Click 'show advanced options' if this option is not displayed.

After 'replay protection' is disabled, firewall will allow those packets even their sequence number difference is larger than the replay window size. Disabling 'replay protection' may cause the network to become vulnerable to replay attack, so this should be used with caution and applied only if no other solution is possible.

owner: mzhou



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUyCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language