cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2896
Views
0
Helpful
5
Replies

CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed

adriatikb
Level 1
Level 1

I am receiving the following error when I try to establish an IPSEC tunnel in one of our branch .


*Jan 19 14:16:37.059: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2009 local=172.16.16.6 remote=172.16.16.1 spi=4A4D2438 seqno=000023E2
*Jan 19 14:16:53.627: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 60: Neighbor 172.16.16.1 (FastEthernet0/0) is down: Peer goodbye received
*Jan 19 14:16:55.591: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 60: Neighbor 172.16.16.1 (FastEthernet0/0) is up: new adjacenc

branch is connected with two Wan providers. eigrp is in place in order to switch traffic in case of fail

According to CCO this message means

. %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=[dec]

The MAC verify processing failed. This may be caused by the use of the wrong key by either party during the MAC
calculations. This activity could be considered a hostile event.


I have checked and double checked the key . It seems OK .

Please , Any ideas what I am doing wrong  ?

Thanks

5 Replies 5

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

This message means either the recieved IPSec packets is corrupted or had been encrypted with the wrong keys. It's not the same keys you configured to do the peer authentication during IKE Phase 1.

Clear the tunnel and see if the message keep showing up. In this case it can be related to a Hw or Sw issue. Try the latest release to see if it's not a bug.

If you still have the message, open a Tac case for further troubleshooting.

HTH

Laurent.

thank you for response,

i tryed to clear tunnel on both sides, it is still going to be created and deleted after some seconds again and again.

i have changed my router with a new one, still the same.

the ios of new router seems to be new one "c1841-advsecurityk9-mz.124-15.T7.bin"

how can i check for this release if has any bug?

best regards

adriatik

Do you see the same messages or do you have other issue regarding the tunnel establishment ?

You changed one side of the tunnel but what about the other side ?

Laurent.

For others having this issue: Please first check if the crypto session is established as expected using 'show crypto session' and 'show crypto ikev2 sa detailed'. They should show UP-ACTIVE for the former and 'Negotiation done' for the latter command.

Then, clear the crypto session, eg, using 'clear crypto ikev2 sa'. Tunnel and SA should clear and re-established connection showing SA down/up. Traffic should no longer have errors.

IR800#clear crypto ikev2 sa
*Sep  3 16:33:10.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Sep  3 16:33:10.629: %IKEV2-5-SA_DOWN: SA DOWN

*Sep  3 16:33:42.085: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

*Sep  3 16:33:42.141: %IKEV2-5-SA_UP: SA UP

*Sep  3 16:33:42.141: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
IR800#