Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Site to Site VPN errors

I have five routers participating in site-to-site vpn connections with one another. Three of the routers are 2821's with the advanced security features, and IOS of 12.4. I continually recieve the following errors on two of these routers:

05-15-2006 09:23:04 Local7.Warning 172.16.2.6 4088: 004010: May 15 09:22:36.199 NewYork: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4

05-15-2006 09:23:03 Local7.Alert 172.16.2.6 4087: 004009: May 15 09:22:36.195 NewYork: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=172.16.2.5,dstadr=172.16.2.6,size=720,handle=0x5804

I recieve these errors continuously from two routers recieving traffic from the same router. The two errors listed come simultaneously and every 30 or 40 seconds when traffic is on the line. When I check the crypto eng accelerater it shows a lot of dropped packets on these two routers. It doesn't matter if its light or heavy traffic. I don't have the problem with any other VPN tunnels from the same router.

3 REPLIES
Silver

Re: Site to Site VPN errors

This message can occur occasionally during normal operation of the system. It may occur during the transition to a new session key for a Security

Community Member

Re: Site to Site VPN errors

Wong, I know that this can happen during transition to knew keys but this happens continuously like every couple of minutes and in some cases the error has occurred two and three times within one minute.

Cisco Employee

Re: Site to Site VPN errors

Hello,

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4

The message is telling that the packet has failed the Message Authentication Code (to verify if the packet is not a replayed packet)

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=172.16.2.5,dstadr=172.16.2.6,size=720,handle=0x5804

HW Accel has dropped the packet because it failed MAC

There could be delay in the tunnel because of which this is happening. The router has only 64 packet queue for the VPN tunnel. It runs Anti replay timer for each packet. If a (fragmented) packet will arrive after this timer has expired this message will be regiestered.

If you enable debug ip icmp on the rouer do you see 'packet too big, do not fragment bit set' ICMP Type 3 Code 4 messages.

Try configuring lower mss value on the inside int of the router. It will help.

It is a notification message that HW Acel has dropped the packet.

Vikas

226
Views
0
Helpful
3
Replies
CreatePlease to create content