Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ipsec log entries, any idea ??

any idea for a constantly happen log entries ?

thanks

HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=

4615

1 REPLY
Cisco Employee

Re: ipsec log entries, any idea ??

You would be receiving this message with your hardware encryption module.

There are few known bugs regarding this;

CSCdt40220

Release Notes:-

Symptoms:

A router displays one of the following error messages:

HW_VPN-1-HPRXERR: Hardware VPN0/2: Packet Encryption/Decryption error, status=4612

This is a notification message seen on the console of the DECRYPTING PEER that

tells the user that IPSEC packets have been received out of order.

Obviously, this re-ordering can occur in one of 3 places:

1. encrypting peer

2. network

3. decrypting peer

Only in rare cases can this occur in the decrypting peer.

The only known way for this to occur in the decrypting peer is for a packet to

be bumped to process switch while the following packets from the same tunnel

are fast or cef switched. This could happen if the packet is fragmented and needs

re-assembly.

The following lists some of the common scenarios that might introduce out-of-order ESP packets.

These scenrios are considered normal behaviors:

1. Fragmentation

2. QoS: QoS scheduling mechanism happening after IPSec encryption could cause ESP packets in the same IPsec SAs to

be transmitted out-of-order.

3. Pak_priority: pak_priority is an internal flag set by the IOS to some of the router generated packets that are

considered critical, e.g., routing updates, interface keepalives. When output interface queue is congestd,

router will honor the pak_priority flags to make sure the high priority packets are transmitted first. So in the

GRE over IPsec and dynamic routing protocol design, the ESP packets could become out-of-order if the egress interface

is congested and the router has to transmit the encrypted routing update first.

Conditions:

This symptom is observed when a Cisco 2600 or 3600 series Virtual

Private Network (VPN) encryption card is placed under stress using fast

switching with a mixture of fragmented and unfragmented packets.

Either of the messages may be displayed depending on whether Authentication

Header (AH) or Encapsulation Protocol (ESP) encapsulation is used. In addition,

the ah_seq_fail or esp_seq_fail error counts increment in the output of the

show crypto engine accelerator statistic privileged EXEC

command.

Workaround:

Set the maximum transmission unit (MTU) size of inbound streams

to less than 1400 bytes.

115
Views
0
Helpful
1
Replies
CreatePlease to create content