Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Packet NOT IPSEC

I've a large VPN with encryption 3DES, on my remote site I've a Cisco 1720(IOS 12.2.YA2) with ADSL or ISDN, at the center I've a 7204VXR (IOS 12.1.10aE4)with accelerator card. The VPN work properly but sometimes the 1720 recive an error :

"%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) dest_addr= xxx.xxx.xxx.xxx, src_addr= yyy.yyy.yyy.yyy, prot= 6" when this error occurs my telnet 3270 session remain blocked for 1-2 minutes.

I've disabled the route cache on twice router but the problem is no resolved.

Does anybody have suggest for me ?

Thanks

Gionata

4 REPLIES
New Member

Re: Packet NOT IPSEC

Is that 1720 router have VPN accelerator card installed ?

If it is , "no cypto engine accelerator" to disable the VPN module see the problem still there or not. Turn it on, simplely "crypto engine acce" in the "config t" mode.

Are you doin Hud and spoke design or fully meshed VPN network ?

Sometimes this is because the large numbers VPN peers' phase 1 ISAKMP SA timeout and rekey in the same time, it might cause 1-2 minutes timeout ?

You can disble the "PFS" settings to reduce the phase 1 rekey.

Best Regards,

New Member

Re: Packet NOT IPSEC

Hi,

The 1720 haven't the accelerator card. My VPN is an extranet VPN.

The problem occur during an established IPSec session not in startup phase. Concernig the possibiity to disable the PFS I think that this operation have impact on the all VPN because I must change the policy on all my extranet router, it's correct ?

Best Regards

New Member

Re: Packet NOT IPSEC

This is not a problem. Don't worry about it. Non IPSec packets will not be able to pass through the Router to the LAN. My guess is that these packets relate to phase 1 SA initialization offers which have to clear, because no encryption policy has been established yet.

New Member

Re: Packet NOT IPSEC

Sorry bat I've this problem during an IPSec session, not only in a phase 1 SA init. and when this occur the client are blocked for 1-2 minutes. Can occur this non IPSec packets when the lifetime is ended and the router re-negotiation new SA ?

Thanks for your collaboration and sorry for my poor english

Gionata

132
Views
0
Helpful
4
Replies
CreatePlease login to create content