%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection

Answered Question
Mar 6th, 2009

Does anyone know what could be causing this error?

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=

I have an GRE over IPSec VPN tunnel using ISAKMP that keep generating this error.

I have verified that the shared keys are the same on both ends. I check the error lookup tool and it seems to point to that.

I also tried disabling CEF and Fast Switching on the interface but that hasn't helped either.

I have this problem too.
0 votes
Correct Answer by LOUIS BOISVERT about 7 years 8 months ago

I got the same problem to.

Just to let you know, there is bug open at Cisco for this (CSCsv43145)

They said, it is only cosmetic not service affecting.

(But it generate a lot of messages in the router log file)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (5 ratings)
Loading.
auraza Fri, 03/06/2009 - 07:01

This normally means that the packet failed authentication, meaning that something changed in the packet in transit, and the hash sent by the other side didn't match the hash calculated by this router. This could be due to a number of things:

1) Faulty router in the middle dropping bits or changing the packet in some way

2) Hardware encryption module or routers on either side having an issue.

You can try the following:

Disable hardware encryption (no crypto engine accelerator) on both sides to see if the error goes away. If yes, then the issue could most likely be the hardware module. Make sure you don't do this during peak times as software encryption may not be able to handle the traffic flowing through the tunnel.

mlitka Fri, 03/06/2009 - 07:12

The head end router isn't experiencing this issue and neither are any other spokes. I disabled hardware acceleration on the one spoke with the issue and the error is still occurring.

chris_tan Tue, 03/10/2009 - 18:44

Hi,

My router encounter the same error as you mention. Did you found the root cause already? Beside seeing this error, is the performance affected ?

Could it be the service provider PE issue which will cause the error?

Rgds,

Christopher

Correct Answer
LOUIS BOISVERT Wed, 03/11/2009 - 13:48

I got the same problem to.

Just to let you know, there is bug open at Cisco for this (CSCsv43145)

They said, it is only cosmetic not service affecting.

(But it generate a lot of messages in the router log file)

guibarati Tue, 06/23/2009 - 05:39

I was having the same problem and found your post.

In my case the problem was the one mentioned by auraza.

The hardware accelerator with some problem.

Actions

This Discussion