Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
14692
Views
5
Helpful
6
Replies

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

armir1234
Level 1
Level 1

ā€Ž05-11-2012 07:11 AM - edited ā€Ž02-21-2020 06:03 PM

Hi Everyone.

I was making some changes in  routers and after I rolled back configuration  a gre tunnel won't work. It's GRE Tunnel between a Cisco 7600 and Cisco 2851.

It seems like 7600 sent packets unencrypted.

On C2851 is received this message:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

        (ip) vrf/dest_addr= /10.0.0.10, src_addr= 10.0.0.18, prot= 47

Could you check configuration attached and give any advise.

Thank you.

2 people had this problem
Labels:
127856-c7600.txt.zip
127855-c2851.txt.zip
0 Helpful
6 Replies 6

rizwanr74
Level 7
Level 7

ā€Ž05-11-2012 12:31 PM

Please change your ACL data type to IP instead of GRE on both ACL below.

ip access-list extended acl_crypto_KS_pronet

permit gre host 10.0.0.18 host 10.0.0.10

ip access-list extended acl_crypto_HO_pronet

permit gre host 10.0.0.10 host 10.0.0.18

your authentication is not pre-share ?

crypto isakmp policy 32

encr aes 192

authentication rsa-encr

group 2

armir1234
Level 1
Level 1
In response to rizwanr74

ā€Ž05-13-2012 11:54 PM

Thank you for you response it doesn't work. I wanted to say that it has worked before and yes it is not preshare.

0 Helpful

mudjain
Level 1
Level 1

ā€Ž05-14-2012 12:59 AM

I went through the configuration and think all required components are in there.

I would say that we should check routing.

Error message means that packet recieved as per local policy should have been a IPSEC encrypted packet however it was a plain text packet.

going further:

* Please check if tunnel is up and share show crypto ipsec sa from either end.

* please check if the packets leaving other end are taking right exit interface and if yes are they encrypted or not. you can check this with the help of ACL (disabling CEF if this is not into production and there is no MPLS link involved).

0 Helpful

olpeleri
Cisco Employee
Cisco Employee

ā€Ž05-14-2012 01:28 AM

Your config looks good.

If you're getting unencrypted packets on the 2800. that means something is wrong on the cat7k. Is the peer reached via the crypto connect vlan? Can you check that?

Cheers,

0 Helpful

armir1234
Level 1
Level 1

ā€Ž05-14-2012 01:31 AM

Hi Everybody.

Thank you for taking your time.

I solved the problem by hardware reset to cisco 7600.

I didn't want to do that but like Microsoft and Cisco need a Reload.

0 Helpful

olpeleri
Cisco Employee
Cisco Employee

ā€Ž05-14-2012 01:56 AM

Wierd - A reload should never be necessary. Anyway... if it's fixed then it's fixed :-)

0 Helpful
Customers Also Viewed These Support Documents