Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2258
Views
3
Helpful
2
Replies

VPN Router Log full of these errors

rgoodwin7399
Level 1
Level 1

‎09-24-2009 06:29 AM - edited ‎03-04-2019 06:09 AM

We have a VPN router at our HQ that we use for lan to lan gre vpn tunnels to our branches. The log file has been full of these errors for a particular branch for a long time. The branch is not complaining of connectivity issues because they have an alternate circuit but I would really like to know definitively what causes these. The HQ router is a 7206 running c7200-ik9s-mz.123-14.T7.bin. The branch router is a 2811 running c2800nm-advipservicesk9-mz.124-20.T2.bin. The 2811 does NOT have an AIM. The 7206 has SA-VAM2. I removed the src and dest addresses in the example below with x.x.x.x for security. If anyone knows what causes this I would love to get a doc. None of the info I have found so far has resolved it.

Sep 24 07:01:53: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1408,handle=0x5807

Sep 24 07:01:53: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:06:13: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1416,handle=0x5807

Sep 24 07:06:13: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:07:17: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1416,handle=0x5807

Sep 24 07:07:17: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=7

Sep 24 07:07:57: %VPN_HW-1-PACKET_ERROR: slot: 4 Packet Encryption/Decryption error, Output Authentication error:srcadr=x.x.x.x,dstadr=x.x.x.x,size=1408,handle=0x5807

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎09-24-2009 08:19 AM

Hello Rachel,

you can use the following links

http://www.cisco.com/en/US/docs/ios/12_3/feature/guide/ft_vam2p.html#wp1033173

http://www.cisco.com/en/US/docs/security/vpn_modules/vam_vsa/vam2plus/installation/guide/vam2p_cf.html#wp68671

the useful commands to check if VAM is fine are:

sh diag

show pas vam interface

sh crypto eli

look in the third if there are any errors counters and if they increment over time.

Also the IOS image that you have on HQ can play a role.

We had troubles with stateful IPSec developed in a pair of C7206VXR with NPE-G2 and VAM2+.

At the end changing IOS image solved.

To be noted that:

12.4(19)T was not good at all, but 12.4(20)T solved our issue.

In some cases other colleagues have reported to have changed the VAM module.

Hope to help

Giuseppe

Laurent Aubert
Cisco Employee
Cisco Employee

‎09-24-2009 12:52 PM

Hi,

This message means the received IPSec packets are corrupted. So now you need to find out where the corruption occurs.

You could have a sniffer on both sides of the tunnel and track a specific IPSec packet sent by the branch and received by the HQ.

If you see differences, corruption occurred during the transit. If not, corruption occurred inside the 7200 so you need to contact TAC in this case.

The error doesn't appear often enough for the branch to complain.

HTH

Laurent.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card