Salesforce

ESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"

Printable View
« Go Back

Information

 
TitleESP packets dropped with error "cannot handle IPv4 host bound ESP/AH packet"
URL NameESP-packets-dropped-with-error-167498
SummaryESP packets dropped with error cannot handle IPv4 host bound ESP/AH packet""
Validation StatusValidated - External
Publication StatusPublished
Symptom
  • IPSec tunnel is up, but the traffic fails to pass through.
  • Global counters show packet drops with error "ESP/AH host bound packet comes before tunnel finishes installation".
> show counter global filter delta yes packet-filter yes | match drop
flow_host_slowpath_drop       1        0    drop      flow   tunnel   ESP/AH host bound packet comes before tunnel finishes installation
  • In some versions, the global counters may show the following counter with error "ESP/AH packet comes before tunnel finishes installation"
> show counter global filter delta yes packet-filter yes | match drop
flow_tunnel_fastpath_race     240      0 info      flow      tunnel    ESP/AH packet comes before tunnel finishes installation
  •  Packet diag logs may display "Packet dropped, cannot handle IPv4 host bound ESP/AH packet".
Environment
  • Palo Alto Firewalls
  • Supported PAN-OS
  • IPSec VPN
Cause

ESP traffic ingresses on a different interface than the IPSec VPN terminating interface, and the terminating interface is either a non-loopback interface or belongs to a different security zone or VSYS.

Resolution
  1. If the IPSec VPN terminating interface is a non-loopback interface (e.g., an Ethernet interface), create a new loopback interface with a new local address, associate the IKE gateway with this loopback interface and address, and update the peer VPN device with the new peer address.
  2. Go to GUI:  Network > Interfaces. and check the VSYS and Security Zones of the interfaces configured for the tunnel.
  3. Configure both the interfaces in the same security zone and same VSYS.
  4. Commit the configuration and recheck.
  5. If the issue is not resolved open a Support case.
Additional Information
Legacy ID167498
Legacy Urlhttp://live.paloaltonetworks.com:80/t5/Management-Articles/ESP-packets-dropped-with-error-quot-cannot-handle-IPv4-host/ta-p/167498
Auto Assistant Signature
Powered by