VPN Router Log full of these errors

Unanswered Question
Sep 24th, 2009

We have a VPN router at our HQ that we use for lan to lan gre vpn tunnels to our branches. The log file has been full of these errors for a particular branch for a long time. The branch is not complaining of connectivity issues because they have an alternate circuit but I would really like to know definitively what causes these. The HQ router is a 7206 running c7200-ik9s-mz.123-14.T7.bin. The branch router is a 2811 running c2800nm-advipservicesk9-mz.124-20.T2.bin. The 2811 does NOT have an AIM. The 7206 has SA-VAM2. I removed the src and dest addresses in the example below with x.x.x.x for security. If anyone knows what causes this I would love to get a doc. None of the info I have found so far has resolved it.

Sep 24 07:01:53: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1408,handle=0x5807

Sep 24 07:01:53: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:06:13: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1416,handle=0x5807

Sep 24 07:06:13: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:07:17: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1416,handle=0x5807

Sep 24 07:07:17: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:07:57: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1408,handle=0x5807

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Giuseppe Larosa Thu, 09/24/2009 - 08:19

Hello Rachel,

you can use the following links

http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ft_vam2p.html#wp1033173

http://www.cisco.com/en/US/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_cf.html#wp68671

the useful commands to check if VAM is fine are:

sh diag

show pas vam interface

sh crypto eli

look in the third if there are any errors counters and if they increment over time.

Also the IOS image that you have on HQ can play a role.

We had troubles with stateful IPSec developed in a pair of C7206VXR with NPE-G2 and VAM2+.

At the end changing IOS image solved.

To be noted that:

12.4(19)T was not good at all, but 12.4(20)T solved our issue.

In some cases other colleagues have reported to have changed the VAM module.

Hope to help

Giuseppe

Laurent Aubert Thu, 09/24/2009 - 12:52

Hi,

This message means the received IPSec packets are corrupted. So now you need to find out where the corruption occurs.

You could have a sniffer on both sides of the tunnel and track a specific IPSec packet sent by the branch and received by the HQ.

If you see differences, corruption occurred during the transit. If not, corruption occurred inside the 7200 so you need to contact TAC in this case.

The error doesn't appear often enough for the branch to complain.

HTH

Laurent.

Actions

This Discussion