10-23-2003 06:36 AM - edited 02-21-2020 12:50 PM
Does anyone know what I can tweak to prevent these error messages.
%HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module2/8: Packet Encryption/Decryption error, status=4609
I have determined their due to packet overruns and esp_auth_failure on the encryption module. See below.
Virtual Private Network (VPN) Module in slot : 2
Statistics for Hardware VPN Module since the last clear
of counters 370 seconds ago
37846 packets in 37844 packets out
2 packet overruns 0 output packets dropped
0 packets decompressed 0 packets compressed
0 compressed bytes in 0 uncompressed bytes in
0 decompressed bytes out 0 compressed bytes out
0 packets bypass compression 0 packets abort compression
0 packets fail decompression 0 packets fail compression
19368 packets decrypted 18478 packets encrypted
2591512 bytes decrypted 2591512 bytes encrypted
3288760 bytes before decrypt 29372311411 bytes after encrypt
102 paks/sec in 102 paks/sec out
70 Kbits/sec decrypted 633911 Kbits/sec encrypted
Last 5 minutes:
29557 packets in 29556 packets out
15166 packets decrypted 14391 packets encrypted
1998488 bytes decrypted 3502810 bytes encrypted
2544464 bytes before decrypt 4020886 bytes after encrypt
98 paks/sec in 98 paks/sec out
67 Kbits/sec decrypted 107 Kbits/sec encrypted
rx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0
invalid_sa: 0 invalid_flow: 0 cgx_errors 0
fw_qs_filled: 0 fw_resource_lock: 0 lotx_full_err: 0
null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0
esp_auth_fail: 2 ah_auth_failure: 0 crypto_pad_error: 0
ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0
esp_prot_absent: 0 esp_seq_fail: 0 esp_spi_failure: 0
obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0
invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0
no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0
dsp_coproc_err: 0 comp_unsupported: 0 pak_too_big: 0
null packets: 0
pak_mp_length_spec_fault: 0 cmd queue errors: 0
tx_lo_queue_size_max 0 cmd_unimplemented: 0
Interrupts: 36175 Immed: 0 HiPri ints: 36175
LoPri ints: 0 POST Errs: 0 Alerts: 0
Unk Cmds: 0 UnexpCmds: 0
cgx_cmd_pending:0 packet_loop_max: 0packet_loop_limit: 0
Thanks for any help you can provide.
Billy
10-27-2003 05:41 AM
Hi Billy,
See the following forum discussion: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.eea174c/0#selected_message
10-27-2003 06:28 AM
Thanks, Yes, I saw this discussion. I believe it refers to a different issue. The funny thing about my situation is that I have 12 vpn tunnels configured with the exact same configuration, and only just one causes this error. I also get this error along with it:
Oct 27 07:36:28: %CRYPTO-4-IKMP_PKT_OVERFLOW: ISAKMP message from xx.xx.xx.218 larger (280978628) than the UDP packet length (108)
Its always from the same address (site.) Now I know these are normal on re-keys but I get them very frequently from this one site. I have done a line by line comparison to at least two other locations nearby and the configs are identical. I just can't figure out why this one site has become a problem.
Billy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: