ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

60247
Created On 09/25/18 19:44 PM - Last Modified 10/07/25 20:16 PM


Symptom


  • IPSec tunnel is up, but the traffic fails to pass through.
  • Global counters show packet drops with error "ESP/AH host bound packet comes before tunnel finishes installation".
> show counter global filter delta yes packet-filter yes | match drop
flow_host_slowpath_drop       1        0    drop      flow   tunnel   ESP/AH host bound packet comes before tunnel finishes installation
  • In some versions, the global counters may show the following counter with error "ESP/AH packet comes before tunnel finishes installation"
> show counter global filter delta yes packet-filter yes | match drop
flow_tunnel_fastpath_race     240      0 info      flow      tunnel    ESP/AH packet comes before tunnel finishes installation
  •  Packet diag logs may display "Packet dropped, cannot handle IPv4 host bound ESP/AH packet".

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • IPSec VPN

Cause


The ingress interface of the ESP packet and the  IPSEC VPN terminating interface are in different security zone or different VSYS.

Resolution


  1. Go to GUI:  Network > Interfaces. and check the VSYS and Security Zones of the interfaces configured for the tunnel.
  2. Configure both the interfaces in the same security zone and same VSYS.
  3. Commit the configuration and recheck.
  4. If the issue is not resolved open a Support case.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcGCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language