topic Re: Getting error messages with IPSec tunnels on FTDv in Network Security

Getting error messages with IPSec tunnels on FTDv

Nathan_study — Mon, 19 Dec 2022 14:56:53 GMT

We have a firepower running in vmware and are using firepower device manager to manage the device.
but sporadically we get the message IPSEC:Received an ESP packet from [SiteB] to [SiteA] that failed authentication
But I can't find out what is causing this error anybody has an idea, when I get the message the tunnel is also down for like 45 minutes.

IKE policy is set as following:
Encryption AES192
DFH: 14
Integrity hash: SHA256
PRF hash: SHA256
Lifetime: 86400

IPSEC proposal
Encryption AESGCM192
Integrity hash: SHA256

Re: Getting error messages with IPSec tunnels on FTDv

MHM Cisco World — Wed, 28 Dec 2022 00:39:58 GMT

sorry for late reply but are this issue solved ?
are you run IKEv2?

Re: Getting error messages with IPSec tunnels on FTDv

Marius Gunnerud — Wed, 28 Dec 2022 10:39:00 GMT

My initial though here is that this is a timeout / lifetime issue. Have you verified the timeout values at both ends of the s2s VPN?

Re: Getting error messages with IPSec tunnels on FTDv

Nathan_study — Thu, 29 Dec 2022 09:08:09 GMT

Yes I'm running IKEv2
I have now replaced the IPSEC proposal encryption from AESGCM192 to AES192 and I'm monitoring to see if they are going down

Re: Getting error messages with IPSec tunnels on FTDv

Nathan_study — Thu, 29 Dec 2022 09:08:38 GMT

Yes timout is set to 8 hours

Re: Getting error messages with IPSec tunnels on FTDv

Marius Gunnerud — Tue, 03 Jan 2023 11:04:37 GMT

is this a site to site VPN, DMVPN, FlexVPN, etc.?

is one of the sites using dynamic IP or are both static?

If the issue happens again, check the output of show crypto ipsec sa and verify if the SPI values are the same for the interesting traffic.