VPN issue, from VPN Mod on 6500 to 3745, over lan extension circuit.
mirrored acl's with deny at the top for UDP any any, then a series of permits at an IP level. All works well when testing out of hours on all applications. Next day all fine until mid morning then issues reported. Saw drops on interface fixed with hold-queue and issue went but appeared again a little later. Worked out DNS was not working correctly. cleared crypto sa to fix, issue came back later. Asked to lift crypto, so did. have tested set up in lab but on different hardware and can false similar errors when messing with acl to make them not mirrored. Basically on fly remove acl entry for UDP on one end. UDP stops working, TCP performance issues, ICMP intermittent. Need to lab this again to get more detail.
Erros seen in live
%VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Invalid Packet
VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Output replay error(0x08000000)
errors on sho cry en acc sta
ppq full errors : 0 ppq rx errors : 71242
cmdq full errors : 0 cmdq rx errors : 0
no buffer : 0 replay errors : 6783
dest overflow : 0 authentication errors : 2
Other error : 0 RNG self test fail : 0
DF Bit set : 0 Hash Miscompare : 0
Unwrappable object : 0 Missing attribute : 0
Invalid attrribute value: 0 Bad Attribute : 0
Verification Fail : 0 Decrypt Failure : 0
Invalid Packet : 71242 Invalid Key : 0
my thoughts are that 6500 is matching entries on acl, or matching a cache/flow (cef etc) for return packets against IP layer and encrypting packets which are dropped at far end.
Any ideas, known problems?
i intend to map all acl's at layer 4 to overcome possible error but would like answers