cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

The user receives the " %VPN_HW-1-PACKET_ERROR:slot: 0 errors " error message when VPN service module is used on a Cisco router with IOS version 12.4

10662
Views
0
Helpful
0
Comments

Core issue

This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.

These are the reasons for this message:

  1. Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
  2. Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.

Resolution

Verify the cause of the problem by disabling the cef switching by issuing these commands:

(conf)# no ip cef
(conf-if)# no ip route-cache
(conf-if# no ip mroute-cache

For a workaround, issue these commands:

change tcp adjust-mss on interfaces

change  crypto ipsec df-bit

Refer tcp mss adjustment for more details

Note: Unless the message disrupts the VPN traffic, it can be ignored.

Cisco IOS Software Version

12.4