I have five routers participating in site-to-site vpn connections with one another. Three of the routers are 2821's with the advanced security features, and IOS of 12.4. I continually recieve the following errors on two of these routers:
05-15-2006 09:23:04 Local7.Warning 172.16.2.6 4088: 004010: May 15 09:22:36.199 NewYork: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4
I recieve these errors continuously from two routers recieving traffic from the same router. The two errors listed come simultaneously and every 30 or 40 seconds when traffic is on the line. When I check the crypto eng accelerater it shows a lot of dropped packets on these two routers. It doesn't matter if its light or heavy traffic. I don't have the problem with any other VPN tunnels from the same router.
Wong, I know that this can happen during transition to knew keys but this happens continuously like every couple of minutes and in some cases the error has occurred two and three times within one minute.
HW Accel has dropped the packet because it failed MAC
There could be delay in the tunnel because of which this is happening. The router has only 64 packet queue for the VPN tunnel. It runs Anti replay timer for each packet. If a (fragmented) packet will arrive after this timer has expired this message will be regiestered.
If you enable debug ip icmp on the rouer do you see 'packet too big, do not fragment bit set' ICMP Type 3 Code 4 messages.
Try configuring lower mss value on the inside int of the router. It will help.
It is a notification message that HW Acel has dropped the packet.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...