ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

62144

Created On 09/25/18 19:44 PM - Last Modified 01/22/26 03:38 AM

IPSec

VPNs

PAN-OS

Strata

Symptom

IPSec tunnel is up, but the traffic fails to pass through.
Global counters show packet drops with error "ESP/AH host bound packet comes before tunnel finishes installation".

> show counter global filter delta yes packet-filter yes | match drop
flow_host_slowpath_drop       1        0    drop      flow   tunnel   ESP/AH host bound packet comes before tunnel finishes installation

In some versions, the global counters may show the following counter with error "ESP/AH packet comes before tunnel finishes installation"

> show counter global filter delta yes packet-filter yes | match drop
flow_tunnel_fastpath_race     240      0 info      flow      tunnel    ESP/AH packet comes before tunnel finishes installation

Packet diag logs may display "Packet dropped, cannot handle IPv4 host bound ESP/AH packet".

Environment

Palo Alto Firewalls
Supported PAN-OS
IPSec VPN

Cause

ESP traffic ingresses on a different interface than the IPSec VPN terminating interface, and the terminating interface is either a non-loopback interface or belongs to a different security zone or VSYS.

Resolution

If the IPSec VPN terminating interface is a non-loopback interface (e.g., an Ethernet interface), create a new loopback interface with a new local address, associate the IKE gateway with this loopback interface and address, and update the peer VPN device with the new peer address.
Go to GUI: Network > Interfaces. and check the VSYS and Security Zones of the interfaces configured for the tunnel.
Configure both the interfaces in the same security zone and same VSYS.
Commit the configuration and recheck.
If the issue is not resolved open a Support case.

ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

Symptom

Environment

Cause

Resolution

Other users also viewed: