Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX to CIsco VPN dies after some time

Hi,

We have a VPN set up between PIX and Cisco 2600 running 12.1(7). SAs are being established just fine, and packets are going thru, but, after some time, VPN stops forwarding. On Cisco side I see only three different error messages that appear at random intervals:

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for conn id=xxxx

%CRYPTO-4-IKMP_NO_SA: IKE message from xx has no SA and is not an initalization offer

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet is not an IPSEC packet

Clearing SAs on both sides helps a lot. Both fast switching and CEF are disabled on all interfaces of 2600 to get rid of possible CSCdu04029 problem. Any advice?

3 REPLIES
New Member

Re: PIX to CIsco VPN dies after some time

I have the same issue but I am running a tunnel from PIX to a 1720 with FW feature set. I see the same errors in the logs but they do no coincide with the tunnel drops. There is one thing that I have noticed. Sometimes, when you do a "sh crypto engine connections active", the phase I isakmp sa does not exist. Also, the "sh crypto isakmp sa" will show that the conn-id and state fields are blank. Every time my tunnel has dropped, this has been the case with the isakmp sa. Although, I have done random checks with the above two commands and the isakmp sa did not exist, but traffic was still being forwarded fine.

Bronze

Re: PIX to CIsco VPN dies after some time

Check your PIX version. It might be a bug.

New Member

Re: PIX to CIsco VPN dies after some time

I was having the same problem as you can see from a previous post. I opened a case with TAC and got a fix. Here were the problems with my config.

1. I had my IPSEC and ISAKMP SA lifetimes with the same expiration time. The ISAKMP SA, which connects the 2 peers, needs to be longer in lifetime compared to the IPSEC SA's that actually excrypt the traffic. I just made my ISAKMP SA longer which seemed to do the trick.

2. Also, I had different subnet masks (supernets) on my router and my PIX. I initially set this up so I could use the same access-list on the PIX for future VPN growth. Cisco says that the rekey of the SA could have problems with different subnet masks on the peers.

Once the config is correct, the tunnel should stabilize. The only other thing that could probably contribute to tunnel drops is exceeding bandwidth capabilities on your WAN link.

RJ

272
Views
0
Helpful
3
Replies
CreatePlease to create content