Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
2
Replies

VPN acceleration module errors due to overruns

bdedek
Level 1
Level 1

‎10-23-2003 06:36 AM - edited ‎02-21-2020 12:50 PM

Does anyone know what I can tweak to prevent these error messages.

%HW_VPN-1-HPRXERR: Virtual Private Network (VPN) Module2/8: Packet Encryption/Decryption error, status=4609

I have determined their due to packet overruns and esp_auth_failure on the encryption module. See below.

Virtual Private Network (VPN) Module in slot : 2

Statistics for Hardware VPN Module since the last clear

of counters 370 seconds ago

37846 packets in 37844 packets out

2 packet overruns 0 output packets dropped

0 packets decompressed 0 packets compressed

0 compressed bytes in 0 uncompressed bytes in

0 decompressed bytes out 0 compressed bytes out

0 packets bypass compression 0 packets abort compression

0 packets fail decompression 0 packets fail compression

19368 packets decrypted 18478 packets encrypted

2591512 bytes decrypted 2591512 bytes encrypted

3288760 bytes before decrypt 29372311411 bytes after encrypt

102 paks/sec in 102 paks/sec out

70 Kbits/sec decrypted 633911 Kbits/sec encrypted

Last 5 minutes:

29557 packets in 29556 packets out

15166 packets decrypted 14391 packets encrypted

1998488 bytes decrypted 3502810 bytes encrypted

2544464 bytes before decrypt 4020886 bytes after encrypt

98 paks/sec in 98 paks/sec out

67 Kbits/sec decrypted 107 Kbits/sec encrypted

rx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0

invalid_sa: 0 invalid_flow: 0 cgx_errors 0

fw_qs_filled: 0 fw_resource_lock: 0 lotx_full_err: 0

null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0

esp_auth_fail: 2 ah_auth_failure: 0 crypto_pad_error: 0

ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0

esp_prot_absent: 0 esp_seq_fail: 0 esp_spi_failure: 0

obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0

invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0

no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0

dsp_coproc_err: 0 comp_unsupported: 0 pak_too_big: 0

null packets: 0

pak_mp_length_spec_fault: 0 cmd queue errors: 0

tx_lo_queue_size_max 0 cmd_unimplemented: 0

Interrupts: 36175 Immed: 0 HiPri ints: 36175

LoPri ints: 0 POST Errs: 0 Alerts: 0

Unk Cmds: 0 UnexpCmds: 0

cgx_cmd_pending:0 packet_loop_max: 0packet_loop_limit: 0

Thanks for any help you can provide.

Billy

Labels:
0 Helpful
2 Replies 2

bdedek
Level 1
Level 1
In response to MMostert

‎10-27-2003 06:28 AM

Thanks, Yes, I saw this discussion. I believe it refers to a different issue. The funny thing about my situation is that I have 12 vpn tunnels configured with the exact same configuration, and only just one causes this error. I also get this error along with it:

Oct 27 07:36:28: %CRYPTO-4-IKMP_PKT_OVERFLOW: ISAKMP message from xx.xx.xx.218 larger (280978628) than the UDP packet length (108)

It’s always from the same address (site.) Now I know these are normal on re-keys but I get them very frequently from this one site. I have done a line by line comparison to at least two other locations nearby and the configs are identical. I just can't figure out why this one site has become a problem.

Billy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents