Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1567
Views
0
Helpful
1
Replies

DMVPN GRE over IPSEC Packet loss

nocadmin1
Level 1
Level 1

‎09-11-2006 01:00 AM - edited ‎02-21-2020 01:09 AM

I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages

%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1

The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a

Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.

When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)

You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router

interface Tunnel111

description **DPN VPN**

bandwidth 1000

ip address 172.31.111.107 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1300

ip pim sparse-dense-mode

ip nhrp authentication XXXX

ip nhrp map multicast dynamic

ip nhrp map multicast X.X.X.X

ip nhrp map X.X.X.X X.X.X.X

ip nhrp network-id 100002

ip nhrp holdtime 360

ip nhrp nhs 172.31.111.254

ip route-cache flow

ip tcp adjust-mss 1260

ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5

qos pre-classify

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXXX

tunnel protection ipsec profile X.X.X.X

interface GigabitEthernet0/0

description **TO DPNVPN**

ip address 10.X.X.X 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip pim sparse-dense-mode

ip virtual-reassembly

duplex full

speed 100

no snmp trap link-status

no mop enabled

Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks

Brenden

1 person had this problem
Preview file
5 KB
0 Helpful
1 Reply 1

martindesrosiers
Level 1
Level 1

‎09-13-2006 04:31 AM

Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.

It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card