Getting error messages with IPSec tunnels on FTDv

Nathan_study · ‎12-19-2022

We have a firepower running in vmware and are using firepower device manager to manage the device.
but sporadically we get the message IPSEC:Received an ESP packet from [SiteB] to [SiteA] that failed authentication
But I can't find out what is causing this error anybody has an idea, when I get the message the tunnel is also down for like 45 minutes.

IKE policy is set as following:
Encryption AES192
DFH: 14
Integrity hash: SHA256
PRF hash: SHA256
Lifetime: 86400

IPSEC proposal
Encryption AESGCM192
Integrity hash: SHA256

MHM Cisco World · ‎12-27-2022

sorry for late reply but are this issue solved ?
are you run IKEv2?

Nathan_study · ‎12-29-2022

Yes I'm running IKEv2
I have now replaced the IPSEC proposal encryption from AESGCM192 to AES192 and I'm monitoring to see if they are going down

Marius Gunnerud · ‎12-28-2022

My initial though here is that this is a timeout / lifetime issue. Have you verified the timeout values at both ends of the s2s VPN?

--
Please remember to select a correct answer and rate helpful posts

Nathan_study · ‎12-29-2022

Yes timout is set to 8 hours

Marius Gunnerud · ‎01-03-2023

is this a site to site VPN, DMVPN, FlexVPN, etc.?

is one of the sites using dynamic IP or are both static?

If the issue happens again, check the output of show crypto ipsec sa and verify if the SPI values are the same for the interesting traffic.

--
Please remember to select a correct answer and rate helpful posts