DMVPN GRE over IPSEC Packet loss

nocadmin1 — Fri, 21 Feb 2020 09:09:56 GMT

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1

The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a

Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.

When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)

You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router

interface Tunnel111

description **DPN VPN**

bandwidth 1000

ip address 172.31.111.107 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1300

ip pim sparse-dense-mode

ip nhrp authentication XXXX

ip nhrp map multicast dynamic

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 100002

ip nhrp holdtime 360

ip nhrp nhs 172.31.111.254

ip route-cache flow

ip tcp adjust-mss 1260

ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXXX

tunnel protection ipsec profile X.X.X.X

interface GigabitEthernet0/0

description **TO DPNVPN**

ip address 10.X.X.X 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip pim sparse-dense-mode

ip virtual-reassembly

duplex full

speed 100

no snmp trap link-status

no mop enabled

Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks

Brenden

Re: DMVPN GRE over IPSEC Packet loss

martindesrosiers — Wed, 13 Sep 2006 11:31:07 GMT

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.

It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

topic DMVPN GRE over IPSEC Packet loss in Network Security

DMVPN GRE over IPSEC Packet loss

Re: DMVPN GRE over IPSEC Packet loss