Strange crypto error in 72xx.. HSPRE...

danne · ‎08-22-2006

Hi,

We have two 72xx VPN routers acting as concentrators for around 50 VPN tunnels each. They both run 12.3-8(T11) software and a VAM card. The errors we get doesn't seem to come from IOS but rather from the VAM card - am I correct ? No users have reported any problems so I'm not sure if it's disturbing or not.

** Warning: HSPRE_REPLAY_BAD At File ipsecdecode.c:460 ** Value(0x31B4) is below current window left edge(0x31F3)

** Warning: HSPRE_REPLAY_BAD At File ipsecdecode.c:460 ** Value(0x31B6) is below current window left edge(0x31F3)

** Warning: HSPRE_REPLAY_BAD At File ipsecdecode.c:460 ** Value(0x31B5) is below current window left edge(0x31F3)** Error: HSPS_INPUT_UNDERRUN At File ipsecdecode.c:649 ** Packet too small after stripping off Header of 0x24 bytes and Trailer of 0xC6 Bytes

** Warning: HSPRE_MAC_BAD At File ipsecdecode.c:743 ** MAC Mismatch

** Warning: HSPRE_MAC_BAD At File ipsecdecode.c:743 ** MAC Mismatch** Warning: HSPRF_GP_FLAG At File ipsecdecode.c:602 ** For Tunneled packet: The innermost nextheader field contained a B9 when it should have contained 04 to indicate an IP packet was the payload

** Error: HSPS_INPUT_UNDERRUN At File ipsecdecode.c:649 ** Packet too small after stripping off Header of 0x24 bytes and Trailer of 0x8F Bytes

What is HSPS in this case - any clues ?

ajagadee · ‎08-23-2006

Dan,

Are you doing IPSEC or GRE Over IPSEC Tunnels.

What is the IP MTU Value set to ? Looks like Fragmentation might be the issue. Try to reduce fragmentation if possible.

Do a "Show ip traffic" and look at values under "Frags" and see if the values increase when the log message occurs.

Regards,

Arul

danne · ‎08-23-2006

We are running GRE over IPSEC, I will take a closer look at the fragmentation and see if that can be the problem. MTU is generally set to 1420. Thanks,

// Daniel

a.manosca · ‎03-19-2009

You may want to look at your VAM module. Updating it to VAM2+ may resolve it as to what happened to my case.