Salesforce

ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

Printable View
« Go Back

Information

 
TitleESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"
URL NameESP-packets-dropped-with-error-167498
SummaryESP packets dropped with error cannot handle IPv4 host bound ESP/AH packet""
Validation StatusValidated - External
Publication StatusPublished
Symptom
  • IPSec tunnel is up, but the traffic fails to pass through.
  • Global counters show packet drops with error "ESP/AH host bound packet comes before tunnel finishes installation".
> show counter global filter delta yes packet-filter yes | match drop
flow_host_slowpath_drop       1        0    drop      flow   tunnel   ESP/AH host bound packet comes before tunnel finishes installation
  • In some versions, the global counters may show the following counter with error "ESP/AH packet comes before tunnel finishes installation"
> show counter global filter delta yes packet-filter yes | match drop
flow_tunnel_fastpath_race     240      0 info      flow      tunnel    ESP/AH packet comes before tunnel finishes installation
  •  Packet diag logs may display "Packet dropped, cannot handle IPv4 host bound ESP/AH packet".
Environment
  • Palo Alto Firewalls
  • Supported PAN-OS
  • IPSec VPN
Cause

The ingress interface of the ESP packet and the  IPSEC VPN terminating interface are in different security zone or different VSYS.

Resolution
  1. Go to GUI:  Network > Interfaces. and check the VSYS and Security Zones of the interfaces configured for the tunnel.
  2. Configure both the interfaces in the same security zone and same VSYS.
  3. Commit the configuration and recheck.
  4. If the issue is not resolved open a Support case.
Additional Information
Legacy ID167498
Legacy Urlhttp://live.paloaltonetworks.com:80/t5/Management-Articles/ESP-packets-dropped-with-error-quot-cannot-handle-IPv4-host/ta-p/167498
Auto Assistant Signature
Powered by