%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

Unanswered Question
May 11th, 2012
User Badges:

Hi Everyone.


I was making some changes in  routers and after I rolled back configuration  a gre tunnel won't work. It's GRE Tunnel between a Cisco 7600 and Cisco 2851.


It seems like 7600 sent packets unencrypted.

On C2851 is received this message:


%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

        (ip) vrf/dest_addr= /10.0.0.10, src_addr= 10.0.0.18, prot= 47



Could you check configuration attached and give any advise.



Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rizwanr74 Fri, 05/11/2012 - 12:31
User Badges:
  • Gold, 750 points or more

Please change your ACL data type to IP instead of GRE on both ACL below.



ip access-list extended acl_crypto_KS_pronet

permit gre host 10.0.0.18 host 10.0.0.10



ip access-list extended acl_crypto_HO_pronet

permit gre host 10.0.0.10 host 10.0.0.18



your authentication is not pre-share ?


crypto isakmp policy 32

encr aes 192

authentication rsa-encr

group 2

armir1234 Sun, 05/13/2012 - 23:54
User Badges:

Thank you for you response it doesn't work. I wanted to say that it has worked before and yes it is not preshare.

mudjain Mon, 05/14/2012 - 00:59
User Badges:

I went through the configuration and think all required components are in there.


I would say that we should check routing.


Error message means that packet recieved as per local policy should have been a IPSEC encrypted packet however it was a plain text packet.


going further:


* Please check if tunnel is up and share show crypto ipsec sa from either end.

* please check if the packets leaving other end are taking right exit interface and if yes are they encrypted or not. you can check this with the help of ACL (disabling CEF if this is not into production and there is no MPLS link involved).

olpeleri Mon, 05/14/2012 - 01:28
User Badges:
  • Cisco Employee,

Your config looks good.


If you're getting unencrypted packets on the 2800. that means something is wrong on the cat7k. Is the peer reached via the crypto connect vlan? Can you check that?


Cheers,

armir1234 Mon, 05/14/2012 - 01:31
User Badges:

Hi Everybody.

Thank you for taking your time.

I solved the problem by hardware reset to cisco 7600.

I didn't want to do that but like Microsoft and Cisco need a Reload.

olpeleri Mon, 05/14/2012 - 01:56
User Badges:
  • Cisco Employee,

Wierd - A reload should never be necessary. Anyway... if it's fixed then it's fixed :-)

Actions

This Discussion

Related Content