cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

20300
Views
11
Helpful
4
Replies
Highlighted
Beginner

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hello,

I know this question has been asked many times on the forum, I am constantly getting the below error message on my 2811 Router:

*Aug  9 07:07:01.507: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=3.3.3.1 remote=3.3.3.2 spi=CDE6EACF seqno=00005214

N.R-HQ#        

*Aug  9 07:08:33.231: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3004 local=3.3.3.1 remote=3.3.3.2 spi=CDE6EACF seqno=000056E4

I did some research and found the IOS is in the KAV list of bug#CSCsv43145. I upgraded the IOS to 12.4(25e) which doesn't appear in the list but still same error occurs.

-is the error just cosmetic

-is there anyway to go around it?

I have attached the config.

10x,

E.B:.

Everyone's tags (4)
4 REPLIES 4
Cisco Employee

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hi,

12.4(25e) should not be affected by CSCsv43145, which is cosmetic. The issue you are seeing is likely not cosmetic, and is actually resulting in dropped packets due to mac authentication failures. To troubleshoot this type of issue, you really need to get sniffer traces on the WAN (encrypted) side from both tunnel end points and compare the packet in question (based on the spi/seq number reported in the log) and see if the packet is corrupted somehow. There is no easy way to get around this other than turning off authentication check in your ipsec transform, in which case no mac authentication will be performed on the packet, and you do need to consider the security implications when doing that.

Hope this helps,

Thanks,

Wen

Beginner

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hi Wen,

I am facing the same problem in 12.4(24)T5, which is not affected by CSCsv43145. Just checking if anyone out there has been facing the same in this IOS. Frequency is roughly twice a day

Oct 22 11:37:57.735 UAE: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2451 local=x remote=y spi=91D27209 seqno=0000C6CB

Oct 22 14:42:57.950 UAE: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=y,dstadr=x,size=384,handle=0x619F

O

Regards,

Akhtar

Cisco Employee

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hi,

No there is no known issue with mac verification errors in 12.4(24)T5 as far as I know. Given the frequency of the error, there is a good chance that you are actually running into packet corruptions in the transit network. Sniffer traces will tell you for sure though.

Thanks,

Wen

Beginner

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt mac verify failed

Hi Wen,

Thanks for your reply, i can easily run EPC on the spoke device which is reporting these messages, but it wouldn't be possible to run it on the HUB device because of high load, any suggestions in this regard ?

Regards,

Akhtar

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here