First of all, thanks to everyone who will take the time to read this message. We have a fairly large VPN topology between our primary data center and various customer sites. One site has an 1841 running 12.4(24) Mainline that is logging a rather peculiar error message:
This message is only being experienced at this one site and doesn't seem to be effecting VPN availability or performance. This is more a question out of curiosity than anything. The current findings using Cisco's Error Message Decoder is as follows:
decrypt: mac verify failed for connection id=[dec]
MAC verify processing failed. This may be due to the use of the wrong key by either party during the MAC calculations. Some might consider this a hostile event."
Most others that have experienced this issue usually are able to find a resolution by disabling Fast Switching on the interface(s) involved. I'm curious if anyone else has experienced this issue in a similar deployment. I'm assuming "MAC calculations" in Cisco's description is referring to frame-based CRC values but I'm not receiving any inbound errors on the line. I'm also a little puzzled about the actual nature of this error, as it relates to IPSEC.
This might be caused by the use of the wrong key by either party during the MAC calculations. Basically a VPN negotiation is taking place but the pre-shared key is not correct. If all your VPN tunnels are currently working fine then there is not much we could do about this error message since some one else is trying to create a VPN tunnel and your router is reporting that the information provided is not valid.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :