Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMVPN GRE over IPSEC Packet loss

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1

The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a

Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.

When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)

You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router

interface Tunnel111

description **DPN VPN**

bandwidth 1000

ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1300

ip pim sparse-dense-mode

ip nhrp authentication XXXX

ip nhrp map multicast dynamic

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 100002

ip nhrp holdtime 360

ip nhrp nhs

ip route-cache flow

ip tcp adjust-mss 1260

ip summary-address eigrp 100 10.X.X.X 5

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXXX

tunnel protection ipsec profile X.X.X.X

interface GigabitEthernet0/0

description **TO DPNVPN**

ip address 10.X.X.X

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip pim sparse-dense-mode

ip virtual-reassembly

duplex full

speed 100

no snmp trap link-status

no mop enabled

Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks


New Member

Re: DMVPN GRE over IPSEC Packet loss

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.

It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?