site to site VPN in cisco

Unanswered Question
Sep 1st, 2010
User Badges:

Hi all,


I have problem on my site-to-site VPN connection. I'm working in branch using cisco 1721 and HQ using Cisco PIX 516E.

The VPN connection established succcesfuly. But in some time the VPN session keep hang and needed to clear the session "clear crypto sess". During the time VPN seesiong hang, i noticed the tunnel is up. Nothing wrong i see in Cisco Show commands. And resume normal after clear seesion. Do anybody know what is the root cause. FYI, both site devices we did nothing. The configuration all working as normal. But something I have noticed in Branch Cisco 1721 router is as below:


01:43:29: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2
01:44:07: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=218.208.xxx.xxx, prot=17,
spi=0x12061C2(18899394), srcaddr=60.54.xxx.xxx
01:44:37: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=5
01:45:48: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=218.208.xxx.xxx, prot=17,
spi=0xC3B63C00(3283500032), srcaddr=60.54.xxx.xxx


I have search in Cisco website, the solution given for the above log file is contact peer Administrator. If I do contact what should I ask him to check. As I get information from him, He never touch the devices for more than 6 month... So how could the HQ device configuration has been changed? Is it this problem related to hardware?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Thu, 09/02/2010 - 12:23
User Badges:
  • Gold, 750 points or more

Hi,


Hope you resolved the issue. If not try to disable 'fast switching ' on 17xx (no ip route-cache) interface and check if the issue resurfaces.


hth

MS

Actions

This Discussion