I've a large VPN with encryption 3DES, on my remote site I've a Cisco 1720(IOS 12.2.YA2) with ADSL or ISDN, at the center I've a 7204VXR (IOS 12.1.10aE4)with accelerator card. The VPN work properly but sometimes the 1720 recive an error :
"%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) dest_addr= xxx.xxx.xxx.xxx, src_addr= yyy.yyy.yyy.yyy, prot= 6" when this error occurs my telnet 3270 session remain blocked for 1-2 minutes.
I've disabled the route cache on twice router but the problem is no resolved.
The 1720 haven't the accelerator card. My VPN is an extranet VPN.
The problem occur during an established IPSec session not in startup phase. Concernig the possibiity to disable the PFS I think that this operation have impact on the all VPN because I must change the policy on all my extranet router, it's correct ?
This is not a problem. Don't worry about it. Non IPSec packets will not be able to pass through the Router to the LAN. My guess is that these packets relate to phase 1 SA initialization offers which have to clear, because no encryption policy has been established yet.
Sorry bat I've this problem during an IPSec session, not only in a phase 1 SA init. and when this occur the client are blocked for 1-2 minutes. Can occur this non IPSec packets when the lifetime is ended and the router re-negotiation new SA ?
Thanks for your collaboration and sorry for my poor english
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :