How to mitigate an abnormal increase in "flow_tunnel_ipsec_auth_failed" global counter

• To mitigate an abnormal increase in flow_tunnel_ipsec_auth_failed global counter.

> show counter global filter delta yes severity drop
....
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_tunnel_ipsec_auth_failed 3 0 drop flow tunnel Packet dropped: Authentication failed

• This counter flow_tunnel_ipsec_auth_failed increments when for an IPsec tunnel a received ESP packet is dropped because it failed the authentication check.

• Next Generation Firewall
• Supported PAN-OS
• IPsec VPN Tunnel
• flow_tunnel_ipsec_auth_failed global counter

1. Inspect the firewall system logs: MONITOR> Logs> System and use the (subtype eq vpn) search filter. Check which IPsec VPN tunnel is down, unhealthy or not stable.
2. Base on your findings in step 1 perform the appropriate packet capture for ESP packets and decrypt those packets use as a reference below articles: 

• How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device
• How to Decrypt IKEv2 Packets

3. Check whether the decrypted ESP packet is corrupted. In that case, check if there is a device positioned between the endpoints of the tunnel that is modifying those packets. Work with the intermediate device vendor or the responsible party for the device to resolve the problem.
4. Compare the tunnel configuration on both ends of the tunnel to verify matching protocol, auth algorithm, enc algorithm and that the local ip, spi and proxy id ip of one is equal to the remote ip, spi and proxy id ip of the other. Use the following command on the PANW firewalls for that:

> show running tunnel flow name <value>

5. Ensure that no interoperability issue are found between the peers of the IPsec tunnel. For example the NGFW would drop the ESP packet if the ESP next header doesn't match the payload.
6. If the firewall continues to experience issues with abnormal increase of flow_tunnel_ipsec_auth_failed global counter despite following the steps above, then collect the firewall's techsupport file and consider contacting the Palo Alto Networks customer support team for further assistance.

How to Troubleshoot IPSec VPN connectivity issues.
How to troubleshoot no traffic flow through IPsec tunnel.