Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC Problem

i am running OSPF using GRE tunnels (both OSPF packets and IPX packets are encrypted). The remote sites are using 3640 and the central sites are using 7200. All routers have hardware VPN modules.

The WAN is using BroadBand Ethernet.

The following messages are generated at some remote sites 3640 routers and the customers are very worried.

Jul 9 14:57:28 HKT: %HW_VPN-1-HPRXERR: Hardware VPN2/8: Packet Encryption/Decryption error, status=4609

Jul 9 14:58:08 HKT: %HW_VPN-1-HPRXERR: Hardware VPN2/8: Packet Encryption/Decryption error, status=4609

Jul 9 14:58:47 HKT: %HW_VPN-1-HPRXERR: Hardware VPN2/8: Packet Encryption/Decryption error, status=4609

Jul 9 14:59:28 HKT: %HW_VPN-1-HPRXERR: Hardware VPN2/8: Packet Encryption/Decryption error, status=4609

Can anyone know the cause of the above message..?

Also, at one remote site, the OSPF relationship is sometimes down and i have to reload the router. Once the router is reloaded, the OSPF relationship is re-built again..

i attach a config file for one remote site to your reference:

**********************************************************************

Current configuration : 4724 bytes

!

! No configuration change since last restart

!

version 12.2

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname EDDRTKR1

!

logging buffered 4096 debugging

!

clock timezone HKT 8

ip subnet-zero

no ip source-route

!

!

no ip domain-lookup

!

ip ssh time-out 120

ip ssh authentication-retries 3

ipx routing 0060.7015.abc0

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key 852h address 10.15.247.8

crypto isakmp key 852h address 10.15.247.208

!

!

crypto ipsec transform-set edset esp-3des esp-md5-hmac

mode transport

!

crypto map edmap local-address Loopback0

crypto map edmap 10 ipsec-isakmp

set peer 10.15.247.8

set transform-set edset

match address 110

crypto map edmap 20 ipsec-isakmp

set peer 10.15.247.208

set transform-set edset

match address 120

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface Loopback0

description IP address for router ID of OSPF

ip address 10.15.247.54 255.255.255.255

!

interface Tunnel0

description Wu Chung EDDRMWCH1

ip address 10.15.237.42 255.255.255.252

ip mtu 1500

ipx network FED0028

ipx output-sap-filter 1000

ipx update interval sap 120

traffic-shape rate 1000000 25000 25000 1000

tunnel source Loopback0

tunnel destination 10.15.247.8

crypto map edmap

!

interface Tunnel1

description Sai Kung EDDRMSK1

ip address 10.15.238.42 255.255.255.252

ip mtu 1500

ipx network FEE0028

ipx output-sap-filter 1000

ipx update interval sap 120

traffic-shape rate 1000000 25000 25000 1000

tunnel source Loopback0

tunnel destination 10.15.247.208

crypto map edmap

!

interface Ethernet0/0

description segment at Tin Kwong Road Training Unit

ip address 10.15.232.225 255.255.255.248

ip mask-reply

no ip proxy-arp

half-duplex

ipx network F365000 encapsulation SAP

!

interface Ethernet0/1

description BroadBand (VP685382)

ip address 128.15.237.10 255.255.255.128

no ip unreachables

no ip proxy-arp

half-duplex

ipx network FF8D000

traffic-shape rate 1000000 25000 25000 1000

no cdp enable

crypto map edmap

!

interface FastEthernet1/0

description Connected to EDDRTKR2 FastEthernet 2/0

ip address 10.15.232.13 255.255.255.252

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

!

interface FastEthernet1/1

no ip address

shutdown

duplex auto

speed auto

!

router ospf 333

log-adjacency-changes

network 10.15.0.0 0.0.255.255 area 128.15.0.0

!

ip classless

ip route 10.15.247.8 255.255.255.255 128.15.237.1

ip route 10.15.247.208 255.255.255.255 128.15.237.2

no ip http server

ip pim bidir-enable

!

logging trap debugging

logging 10.99.3.24

logging 10.99.3.25

logging 10.99.3.21

logging 10.15.4.5

access-list 110 permit gre host 10.15.247.54 host 10.15.247.8

access-list 120 permit gre host 10.15.247.54 host 10.15.247.208

access-list 1000 permit FFFFFFFF 4

access-list 1000 permit FFFFFFFF 107

access-list 1000 permit FFFFFFFF 526

access-list 1000 permit FFFFFFFF 531

access-list 1000 permit FFFFFFFF 37E

access-list 1000 permit FFFFFFFF 44C

access-list 1000 permit FFFFFFFF 30C

access-list 1000 permit FFFFFFFF 901

access-list 1000 permit FFFFFFFF 152

!

snmp-server community ednet123 RO

snmp-server host 10.99.3.11 ednet123

snmp-server host 10.99.3.12 ednet123

!

!

!

tacacs-server host 10.99.3.24

tacacs-server host 10.99.3.25

tacacs-server key ciscotac

!

dial-peer cor custom

!

!

!

!

!

line con 0

exec-timeout 15 0

password 7 1300131C0E18

speed 19200

flowcontrol hardware

line aux 0

exec-timeout 15 0

password 7 070A25424B1D

transport input all

line vty 0

exec-timeout 15 0

password 7 03015F05031B

line vty 1

exec-timeout 15 0

password 7 141216050910

line vty 2

exec-timeout 15 0

password 7 09494A071C11

line vty 3

exec-timeout 15 0

password 7 045E0F080A35

line vty 4

exec-timeout 15 0

password 7 15170F02013E

!

ntp clock-period 17179977

ntp source Loopback0

ntp server 10.15.247.9

ntp server 10.15.247.8

end

1 REPLY
Cisco Employee

Re: IPSEC Problem

This message is related to bug CSCdu40546, and is a decfect in teh way the hardware encryption card handles large encrypted packets. You'll probably see this error every time the router tries to pass a large packet. Setting the MTU on the interfaces to 1500 usually works around it. The bug is also resolved in 12.2(3)T and higher.

122
Views
0
Helpful
1
Replies
CreatePlease to create content