This article discusses the issue where the IPSEC VPN traffic fails with the error
"Packet dropped, cannot handle IPv4 host bound ESP/AH packet"
Problem
The following section shows the packet-diag logs where the ESP packet is dropped by the firewall.
Here the ESP packet is received from source 118.201.215.22 to the destination 103.80.209.5
IP: 118.201.215.22->103.80.209.5, protocol 50
version 4, ihl 5, tos 0x00, len 120,
id 19317, frag_off 0x0000, ttl 43, checksum 48553
L4 binary dump: 16 bytes
00000000: d1 9e 2d d2 00 00 00 61 a7 8c a7 7f 18 d5 38 c0 ..-....a ......8.
Session setup: vsys 1
Session setup: ingress interface ae1 egress interface loopback.3 (zone 14)
Policy lookup, matched rule index 4,
Allocated new session 169972.
Packet dropped, cannot handle IPv4 host bound ESP/AH packet
Packet dropped, Session setup failed
Following counters can be seen in the output of the global counters:
> show counter global filter delta yes packet-filter yes | match drop
flow_host_slowpath_drop 1 0 drop flow tunnel ESP/AH host bound packet comes before tunnel finishes installation
Cause
The root cause of this issue is attributed to the configuration issue where the ingress interface of the ESP packet and the IPSEC VPN terminating interface are in different security zone.
Resolution
To resolve this issue, ensure that both the interfaces are in the same security zone.
In the above example, the ae1 interface ( ingress interface of the ESP packet ) and the loopback.3 interface (IPSEC VPN terminating interface ) should in the same security zone.
To check this, inside of the WebGUI > Network > Interfaces. and see what the Security Zones are for the interfaces.