09-08-2012 03:56 AM
An interesting problem that I have come across folks.
S2S between and CP and a CISCO 2600 router.
The tunnel comes up like a charm, but when interesting traffic hits the cisco router, i get the below error:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2001 local=xxxx.47 remote=xxxx.45 spi=2FC9A6E1 seqno=00000040
#sh cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr 1xxxx.47
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.23.0/255.255.255.0/0/0)
current_peer 1xxxx45 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 58, #pkts encrypt: 58, #pkts digest: 58
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 68
local crypto endpt.: 1xxxx7, remote crypto endpt.: 1xxxxx45
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x507E0DF0(1350438384)
inbound esp sas:
spi: 0x2FC9A6E1(801744609)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4603331/797)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x507E0DF0(1350438384)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4603335/795)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
any tips?
this is a cisco router and the peer is a checkpoint running r75.20 code.
cheers
09-08-2012 04:24 AM
jesus.. now seeing every second packet drop on the cisco router. i wonder if checkpoint is actually the culprit.
09-08-2012 04:29 AM
sorry I jumped the gun. fixed the problem myself. it was an issue with the security gateway settings on the checkpoint. it was trying to initiate traffic from the inside interface rather than the outside.
please close the thread.
edit: disabled nat traversal as well on the CP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: