Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2158
Views
0
Helpful
4
Replies

Cisco ASA 5545X Error Message

Go to solution
TW80CJ5
Level 3
Level 3

‎05-13-2020 09:13 AM

Hello All,

 

I am getting an error message in the CLI : "MAC decrypt: MAC length error"

 

We are running ASA 9.14(1)

 

Error repeats itself approximately 3-4 minutes...

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
TW80CJ5
Level 3
Level 3
In response to Marius Gunnerud

‎05-15-2020 12:39 PM

I apologize for such a delayed response.

 

I wanted to follow up with our solution. We viewed the firewall logs and were getting an NTP packet refusal. I removed our NTP server configs on the firewall and re-added them AFTER I reconfigured the switch that serves time on our network. I removed and re-added the NTP server settings on the switch and verified our ASA successfully pulled time. Once it did that, the error messages ceased.


Thank you for the valuable input and have a great day! 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎05-13-2020 10:49 AM

Seems that there is a mismatch in your HMAC configuration in one of your VPNs.  But you did not provide much information to go on so this is what first comes to mind.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
TW80CJ5
Level 3
Level 3
In response to Marius Gunnerud

‎05-13-2020 10:52 AM

I stepped out of the office. What additional info would you like???

Thanks for the suggestion...
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to TW80CJ5

‎05-13-2020 11:18 AM

Well, check the HMAC configuration first and if that doesn't pan out then you could provide the following:

a description of your network (what connects to the ASA, a switch, router, etc.)

- What roll the ASA plays in your network (just VPN or also a gateway to the internet)? I suppose this could fall under the network description also.

- How many VPNs do you have and how many are reporting this error?

- Were there any changes made prior to seeing this error? Or is this a new VPN setup?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
TW80CJ5
Level 3
Level 3
In response to Marius Gunnerud

‎05-15-2020 12:39 PM

I apologize for such a delayed response.

 

I wanted to follow up with our solution. We viewed the firewall logs and were getting an NTP packet refusal. I removed our NTP server configs on the firewall and re-added them AFTER I reconfigured the switch that serves time on our network. I removed and re-added the NTP server settings on the switch and verified our ASA successfully pulled time. Once it did that, the error messages ceased.


Thank you for the valuable input and have a great day! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card