cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
5
Helpful
5
Replies

Getting error messages with IPSec tunnels on FTDv

Nathan_study
Level 1
Level 1

We have a firepower running in vmware and are using firepower device manager to manage the device.
but sporadically we get the message IPSEC:Received an ESP packet from [SiteB] to [SiteA] that failed authentication
But I can't find out what is causing this error anybody has an idea, when I get the message the tunnel is also down for like 45 minutes.


IKE policy is set as following:
Encryption AES192
DFH: 14
Integrity hash: SHA256
PRF hash: SHA256
Lifetime: 86400

IPSEC proposal
Encryption AESGCM192
Integrity hash: SHA256

5 Replies 5

sorry for late reply but are this issue solved ?
are you run IKEv2?

Yes I'm running IKEv2
I have now replaced the IPSEC proposal encryption from AESGCM192 to AES192 and I'm monitoring to see if they are going down

My initial though here is that this is a timeout / lifetime issue.  Have you verified the timeout values at both ends of the s2s VPN?

--
Please remember to select a correct answer and rate helpful posts

Yes timout is set to 8 hours

is this a site to site VPN, DMVPN, FlexVPN, etc.?

is one of the sites using dynamic IP or are both static?

If the issue happens again, check the output of show crypto ipsec sa and verify if the SPI values are the same for the interesting traffic.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card