Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Received encrypted packet with no matching SA, dropping

Hi,

My VPN tunnel is getting down for every 2 hrs approximately, and will reset automatically after 40-50 min. But if i reset the tunnel in between it will come up. I have cisco asa 5520 and check point utm -1 edge at the other end. what could be the issue? when the tunnel is down, i am getting "Reeceived encrypted packet with no matching SA, dropping" this message in asa fw logs.

Thanks,

Sridhar

Everyone's tags (1)
5 REPLIES
Cisco Employee

Received encrypted packet with no matching SA, dropping

HI ,

it is normal to see this during rekey and it should not cause a problem .

however in your case it is causing the tunnel to be down for 45 minutes , kindly check the following :

Phase 2 life time at both ends , it should be matching .

and also check those at the time of the failure :

debug crypto isakmp 128

debug crypto ipsec 128

Hope that this helps .

Mohammad.

New Member

Re: Received encrypted packet with no matching SA, dropping

thanks, but unfortunately i am not getting anything when i ran the above commands during the tunnel down. i am attaching the FW logs captured during the issue.

x.x.x.x is the IP address of the remote VPN peer.

Thanks,

Sridhar

Cisco Employee

Received encrypted packet with no matching SA, dropping

HI ,

please check the following :

what are phase 1 and phase 2 lifetimes used on the other side of the tunnel ?

cheers.

Mohammad

New Member

Re: Received encrypted packet with no matching SA, dropping

phase 1- 86400 sec

phase 2 - 8 hrs (28800 sec)

what else can i check to finout the same.

New Member

Received encrypted packet with no matching SA, dropping

Hi Sridhar,

What i was thinking is that there were multiple Security Associations (S.A) tied 2 the same traffic defined by the crypto map. That means that the router on the other end is also receiving the same message.

Regards,
Gurpreet S Puri

****************************
Keep Smiling, Peace
****************************

(Please Rate Helpful Post)

Regards, Gurpreet S Puri **************************** Keep Smiling, Peace :) **************************** (Please Rate Helpful Post)
31301
Views
0
Helpful
5
Replies
CreatePlease login to create content