Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
3
Helpful
5
Replies

Issue with HMAC Verification failures on Cisco 877 routers

mitchen
Level 2
Level 2

‎01-26-2007 03:44 AM - edited ‎03-09-2019 05:16 PM

We have a number of remote sites with either Cisco 837 or Cisco 877 ADSL routers connecting to head office PIX515E using an IPSEC VPN tunnel.

In the last few days I have noticed the following errors in some (but not all) of the Cisco 877 routers:

Jan 26 11:17:12.801: %MOTCR-1-ERROR: motcr_crypto_callback() motcr return failure

Jan 26 11:17:12.801: %MOTCR-1-PKTENGRET_ERROR: MOTCR PktEng Return Value = 0x20000, PktEngReturn_MAC

We are not seeing any such errors on the Cisco 837 routers.

The Cisco 877s are running 12.4(4)T3 and 12.4(4)T4.

I had a look on CCO but could only find this info on the error:

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

This suggests that the problem is the "HMAC verification has failed" and that no action needs to be taken unless the error becomes more frequent.

Well, we are starting to see these errors every half an hour or so on the affected routers.

It goes on to say that it could be caused by a defect in the crypto accelerator but doesn't say a) how to determine if that is the case and b) how to fix it!

So, my questions are, what could be causing this issue and how can I resolve it? What impact is this likely to be having and do I need to be overly concerned? (I'm not aware of the users at these sites having any issues which could be related to this - as yet anyway!)

Thanks.

Labels:
0 Helpful
5 Replies 5

wong34539
Level 6
Level 6

‎02-01-2007 07:24 AM

Check Packet drop using the cmd "show crypto ipsec sa ". It could be problem with VPN accelerator.

mitchen
Level 2
Level 2
In response to wong34539

‎02-05-2007 02:18 AM

Ran "show crypto ipsec sa" but no sign of any packet drop.

0 Helpful

gloubier
Level 1
Level 1
In response to mitchen

‎05-16-2007 09:17 AM

Hi,

Did you found the source of your problem?

Because we receive the same error message every day and I didn't found what could be the problem and how to fix it.

We are using Cisco 871 version 12.4.4T6.

Thanks!

0 Helpful

mitchen
Level 2
Level 2
In response to gloubier

‎05-17-2007 01:14 AM

Hi,

no, I'm afraid we never managed to find the source of this problem. We tried upgrading the IOS to 12.4(11)T1 and this stopped the previous error message but instead we started seeing error messages like:

"%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection"

Since there were no complaints about performance and we could find no evidence to suggest any hostile activity, we have just been "living with it" for the time being.

However, it would be nice to resolve this problem once and for all as clearly something is not right so if anyone has any ideas please let us know!

Thanks.

0 Helpful

gloubier
Level 1
Level 1
In response to mitchen

‎05-17-2007 04:12 AM

Hi,

Thanks for your reply!

And I agree with you, it would be really nice if we could have a answer/solution to this problem.

0 Helpful
Customers Also Viewed These Support Documents