Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Received encrypted packet with no matching SA, dropping

Hello,

One of my customers has a problem with several VPN tunnels (site-to-site).

HQ ? PIX515E v7.04

Branch Office ? PIX501 v6.3(1)

In the morning around 12 branch offices need to connect to the HQ. When a branch office wants to connect, this will not work. In the logging I find a message called; received encrypted packet with no matching sa, dropped.

When I start a ping in the HQ to the branch office, the VPN tunnel will be build. So the temporary solution at this moment is to start a ping to all the 12 branch offices in the morning.

Does anyone recognize this problem? Hopefully someone can help us.

Kind regards,

Ron

  • Other Security Subjects
3 REPLIES
Silver

Re: Received encrypted packet with no matching SA, dropping

It sounds like the tunnel is terminating at HQ during the night but not at the branch site. Are your timers the same?

New Member

Re: Received encrypted packet with no matching SA, dropping

Hello,

at first thanks for your tips&tricks. The timers are the same and the IKE policy is the same as well. I noticed something else and that is that the clock on several branch offices are not the same as in the HQ. Could this be some part of the problem?

New Member

Re: Received encrypted packet with no matching SA, dropping

Hello,

I found something else, in the IKE policy the SA lifetime is 86400 seconds (24 hours). In the IPSEC Tunnel policy the SA lifetime is 8 hours or 4608000 kilobytes. Could this be the problem?

Kind regards,

Ron

2855
Views
0
Helpful
3
Replies
This widget could not be displayed.