Cisco Support Community
Community Member

Manual ipsec on pix 506

I have ipsec with manual keying with third party device and i am geting those errors:

IPSEC(sw_esp_decap): authenticate failed

IPSEC(ipsec_cipher_handler): decap failed for "SRC_IP" -> "DST_IP"

Does anybody have an idea as to why this is occuring. This is rather frustrating, as cisco doesn't seem to have

any documentation to cover this error.

Cisco Employee

Re: Manual ipsec on pix 506

This is basically telling you theat the decrypt of the packet failed. You probably have your ESP keys and/or SPI's different on both end devices. Make sure they're the same, keeping in mind that on the PIX they're stored in hex, so make sure that is the same as the third-party device, or convert them if they're stored in ascii/decimal.

What error are you seeing on the third party device?

Community Member

Re: Manual ipsec on pix 506

the 3rd party device is GGSN Ericsson, and is not under my domain, and yes it should be something with hex/dec values of SPI parameters as i see in syslog messages (%PIX-4-402101) wrong spi 0x200(131072)

what does that mean 200 hex or 131072 dec

when booting up the pix it clears or rebuilds SAs

SAs are associated with spi 0x200(512) and 0x201(513)

crypto map aaa 10 set session-key inbound esp 512 cipher bbb authenticator ccc

tnx for reply

CreatePlease to create content