I know this question has been asked many times on the forum, I am constantly getting the below error message on my 2811 Router:
*Aug 9 07:07:01.507: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=126.96.36.199 remote=188.8.131.52 spi=CDE6EACF seqno=00005214
*Aug 9 07:08:33.231: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=184.108.40.206 remote=220.127.116.11 spi=CDE6EACF seqno=000056E4
I did some research and found the IOS is in the KAV list of bug#CSCsv43145. I upgraded the IOS to 12.4(25e) which doesn't appear in the list but still same error occurs.
-is the error just cosmetic
-is there anyway to go around it?
I have attached the config.
12.4(25e) should not be affected by CSCsv43145, which is cosmetic. The issue you are seeing is likely not cosmetic, and is actually resulting in dropped packets due to mac authentication failures. To troubleshoot this type of issue, you really need to get sniffer traces on the WAN (encrypted) side from both tunnel end points and compare the packet in question (based on the spi/seq number reported in the log) and see if the packet is corrupted somehow. There is no easy way to get around this other than turning off authentication check in your ipsec transform, in which case no mac authentication will be performed on the packet, and you do need to consider the security implications when doing that.
Hope this helps,
I am facing the same problem in 12.4(24)T5, which is not affected by CSCsv43145. Just checking if anyone out there has been facing the same in this IOS. Frequency is roughly twice a day
Oct 22 11:37:57.735 UAE: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2451 local=x remote=y spi=91D27209 seqno=0000C6CB
Oct 22 14:42:57.950 UAE: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=y,dstadr=x,size=384,handle=0x619F
No there is no known issue with mac verification errors in 12.4(24)T5 as far as I know. Given the frequency of the error, there is a good chance that you are actually running into packet corruptions in the transit network. Sniffer traces will tell you for sure though.
Thanks for your reply, i can easily run EPC on the spoke device which is reporting these messages, but it wouldn't be possible to run it on the HUB device because of high load, any suggestions in this regard ?