Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1193
Views
0
Helpful
2
Replies

IPSec/GRE keepalive packet too short

Go to solution
dan.agache
Level 1
Level 1

‎09-09-2005 04:25 AM - edited ‎02-21-2020 12:23 AM

Hi,

I have a problem with a site-to-site VPN architecture between two routers (Cisco 2651XM and Cisco 851 Router). The problem is that, on 851 router, GRE Tunnel Keepalives are seen by IPSec as “too short packet” and the packets are dropped. So the tunnel interface on 851 changes to down, even that the tunnel interface on 2651xm router is up and the communication between both sites is not working. The workaround for that problem is to deactivate the keepalive, but I need for this feature because I use a static floating routes.

Can anyone tell me if know a solution to grow the keepalive packet size or to deactivate IPSec packet size checking?

I mention that, in this situation, we can’t make software updates and we can't use other features like tracking objects or dynamic routing.

Thanks in advance.

P.S. The message is:

*Mar 3 02:43:53.374: IPSEC(crypto_ipsec_sa_exists): packet too short,

(ip) dest_addr= 212.93.140.161, src_addr= 83.103.245.164, proto= 50,

(identity) local= 212.93.140.161, remote= 83.103.245.164,

local_proxy= 212.93.140.161/255.255.255.255/47/0 (type=1),

remote_proxy= 83.103.245.164/255.255.255.255/47/0 (type=1)

Software version: c850-advsecurityk9-mz.123-8.YI2.bin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-10-2005 04:34 PM

Dan

I do not have any direct experience with this error message or condition so my answer is based on logical assumptions.

There is some faint possibility that there is a configuration issue that is causing this problem. If you post the relevant parts of the configs of both routers we might be able to examine this possibility.

More likely explanation is that you are encountering a bug in the IOS. Can you open a case with TAC about this? Or can you try a different release of IOS?

added to my answer:

I looked at the BUG toolkit on the Cisco site and found a bug that sounds like it may be your problem. Can you find bug CSCef81595 ?

The suggested workarounds are either to configure tunnel key 1 command on both ends or to not configure GRE keepalive. They claim that the bug is fixed in 12.3(12.1)T, 12.3(11)T03, or in 12.3(11)YN.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-10-2005 04:34 PM

Dan

I do not have any direct experience with this error message or condition so my answer is based on logical assumptions.

There is some faint possibility that there is a configuration issue that is causing this problem. If you post the relevant parts of the configs of both routers we might be able to examine this possibility.

More likely explanation is that you are encountering a bug in the IOS. Can you open a case with TAC about this? Or can you try a different release of IOS?

added to my answer:

I looked at the BUG toolkit on the Cisco site and found a bug that sounds like it may be your problem. Can you find bug CSCef81595 ?

The suggested workarounds are either to configure tunnel key 1 command on both ends or to not configure GRE keepalive. They claim that the bug is fixed in 12.3(12.1)T, 12.3(11)T03, or in 12.3(11)YN.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
dan.agache
Level 1
Level 1
In response to Richard Burts

‎09-11-2005 11:01 PM

Hi,

Thank you for your answer. The Bug CSCef81595 was applicable in my situation and I used tunnel key to resolve my problem.

Thank you again and have a nice day,

Dan.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card