Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site vpn, intermittent issue and packets dropped

Brief

VPN issue, from VPN Mod on 6500 to 3745, over lan extension circuit.

mirrored acl's with deny at the top for UDP any any, then a series of permits at an IP level. All works well when testing out of hours on all applications. Next day all fine until mid morning then issues reported. Saw drops on interface fixed with hold-queue and issue went but appeared again a little later. Worked out DNS was not working correctly. cleared crypto sa to fix, issue came back later. Asked to lift crypto, so did. have tested set up in lab but on different hardware and can false similar errors when messing with acl to make them not mirrored. Basically on fly remove acl entry for UDP on one end. UDP stops working, TCP performance issues, ICMP intermittent. Need to lab this again to get more detail.

Erros seen in live

%VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Invalid Packet

VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Output replay error(0x08000000)

errors on sho cry en acc sta

Errors:

ppq full errors : 0 ppq rx errors : 71242

cmdq full errors : 0 cmdq rx errors : 0

no buffer : 0 replay errors : 6783

dest overflow : 0 authentication errors : 2

Other error : 0 RNG self test fail : 0

DF Bit set : 0 Hash Miscompare : 0

Unwrappable object : 0 Missing attribute : 0

Invalid attrribute value: 0 Bad Attribute : 0

Verification Fail : 0 Decrypt Failure : 0

Invalid Packet : 71242 Invalid Key : 0

my thoughts are that 6500 is matching entries on acl, or matching a cache/flow (cef etc) for return packets against IP layer and encrypting packets which are dropped at far end.

Any ideas, known problems?

i intend to map all acl's at layer 4 to overcome possible error but would like answers

281
Views
0
Helpful
0
Replies