ESP Authentication failure

mothdiver · ‎06-29-2005

Chaps,

Need some advice on a VPN failure, my colleague claims this was due to the following incident int he log of a Cisco 1712 running IOS

Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(7)T3, RELEASE SOFTWARE (fc2)

Log message.

%C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 42, pool offset 0

I am not so sure, but I am finding relevant troubleshooting materials to progress and learn a little more about what is happening on the VPN especially with a esp_seq_auth failure.

Any assistance will be gratefully appreciated.

Kind regards

Vince

Richard Burts · ‎07-01-2005

Vince

Could you describe a little more specifically what the VPN failure is? Also is there a single instance of this message in the log or are there a lot of them?

I have done many IPSec VPNs terminating in 1700 routers and have seen this message occasionally. I have never been sure of it, but it has looked to me like these messages reflect some problem processing in the providers network connection to the 1700.

HTH

Rick

HTH

Rick

mothdiver · ‎07-01-2005

Rick,

Many thanks for getting back to me, Basically what happend is that we have two VPN's running from the 1712, then a couple of nights ago we appeard to lose one for 2.5 hours, preceded by this in the log.

Jun 29 00:59:41.078: %C1700_EM-1-ERROR: packet-rx error: ESP sequence fail, id 42, pool offset 0

Jun 29 01:06:24.261: %BGP-5-ADJCHANGE: neighbor 6.0.255.246 Down BGP Notification sent

Jun 29 01:06:24.261: %BGP-3-NOTIFICATION: sent to neighbor 6.0.255.246 4/0 (hold time expired) 0 bytes

Jun 29 01:06:34.494: %BGP-5-ADJCHANGE: neighbor 6.0.255.254 Down BGP Notification sent

Jun 29 01:06:34.494: %BGP-3-NOTIFICATION: sent to neighbor 6.0.255.254 4/0 (hold time expired) 0 bytes

followed by both VPNs dropping but one recovering within 6 minutes, but the second took approx 2.5 hours.

I personally believe the esp_auth_failure has nothing to do with this and the problem lays with the BGP loss of neighbour, the total downtime on the second VPN was due to an ISP failure, unfortunately limited records prevent me from taking this up with the ISP as I do not know who this is.

The real problems began when a colleague has tried to belittle me, stating the cause of the VPN drop was due to the esp_auth_failure rx packet error.

Which is why I have been looking for information on investigating esp_auth_failure, as I can find very little on CCO.

I did manage to find a related error, which states that if some packets are fragmented, they will be processed switched, where unfragmented packets are fast switched as a result the packets get out of sync and security portion of the device throws up the esp_auth_failure.

CCO states no action required as the problem is cosmetic, however I would like to be able to investigate one way or the other for myself.

regards

Vince

Richard Burts · ‎07-01-2005

Vince

From what you posted it appears that there is a single instance of the ESP sequence fail error message. As I said in my previous post I have seen this error message from time to time in the VPNs that I have done at customer sites. I have NEVER seen a single instance of this error take down the VPN tunnel. Perhaps some of the Cisco engineers who participate in the forum can comment on this.

Additionally I notice that the time stamp of the ESP auth error and the time stamp of the BGP failure are 6 minutes and 43 seconds apart. Please ask your colleague what BGP timer will fail at 6 minutes and 43 seconds.

Best of luck in trying to track this down.

HTH

Rick

HTH

Rick