We have a VPN set up between PIX and Cisco 2600 running 12.1(7). SAs are being established just fine, and packets are going thru, but, after some time, VPN stops forwarding. On Cisco side I see only three different error messages that appear at random intervals:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for conn id=xxxx
%CRYPTO-4-IKMP_NO_SA: IKE message from xx has no SA and is not an initalization offer
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet is not an IPSEC packet
Clearing SAs on both sides helps a lot. Both fast switching and CEF are disabled on all interfaces of 2600 to get rid of possible CSCdu04029 problem. Any advice?
I have the same issue but I am running a tunnel from PIX to a 1720 with FW feature set. I see the same errors in the logs but they do no coincide with the tunnel drops. There is one thing that I have noticed. Sometimes, when you do a "sh crypto engine connections active", the phase I isakmp sa does not exist. Also, the "sh crypto isakmp sa" will show that the conn-id and state fields are blank. Every time my tunnel has dropped, this has been the case with the isakmp sa. Although, I have done random checks with the above two commands and the isakmp sa did not exist, but traffic was still being forwarded fine.
I was having the same problem as you can see from a previous post. I opened a case with TAC and got a fix. Here were the problems with my config.
1. I had my IPSEC and ISAKMP SA lifetimes with the same expiration time. The ISAKMP SA, which connects the 2 peers, needs to be longer in lifetime compared to the IPSEC SA's that actually excrypt the traffic. I just made my ISAKMP SA longer which seemed to do the trick.
2. Also, I had different subnet masks (supernets) on my router and my PIX. I initially set this up so I could use the same access-list on the PIX for future VPN growth. Cisco says that the rekey of the SA could have problems with different subnet masks on the peers.
Once the config is correct, the tunnel should stabilize. The only other thing that could probably contribute to tunnel drops is exceeding bandwidth capabilities on your WAN link.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :