%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet - Page 2

mahesh18 · ‎12-23-2012

Hi Everyone,

I have GRE over IPSEC tunnel between 2691 and 3550.

2691 connects to Internet and do the Natting.

Tunnel seems to be up up and working fine but on 2691 i am seeing these in logs

Dec 23 10:07:27.580 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 23 10:08:05.957 MST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: mintoo] [Source: 192.168.5.2] [localport: 23] at 10:08:05 MST Sun Dec 23 2012

Dec 23 10:08:27.582 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

Dec 23 10:09:27.585 MST: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.5.3, src_addr= 192.168.5.2, prot= 47

2691Router# sh crypto isakmp sa

dst src state conn-id slot status

192.168.5.2 192.168.5.3 QM_IDLE 38 0 ACTIVE

2691Router# sh cry

2691Router# sh crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: MYVPN, local addr 192.168.5.3

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.5.3/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (192.168.5.2/255.255.255.255/47/0)

current_peer 192.168.5.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3646, #pkts encrypt: 3646, #pkts digest: 3646

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 192.168.5.3, remote crypto endpt.: 192.168.5.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: 0x28553A1D(676674077)

inbound esp sas:

spi: 0x2BD49D31(735354161)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2002, flow_id: AIM-VPN/EPII:2, crypto map: MYVPN

sa timing: remaining key lifetime (k/sec): (4449766/1872)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x28553A1D(676674077)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2001, flow_id: AIM-VPN/EPII:1, crypto map: MYVPN

sa timing: remaining key lifetime (k/sec): (4449739/1872)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

How can i fix the log on 2691 router .

Also how can i tell which side is doing encryption and which not ?

Many thanks

MAhesh

Rudy Sanjoko · ‎12-28-2012

hi andrew, i said that because i don't see any crypto map applied to the tunnel interface, the crypto map is applied to the f0/1 which is used as the tunnel source, to my understanding tunnel source only pull the ip address information from the source, not all the attributes of the source, this is why i recommend him to apply the crypto map directly to the tunnel interface, correct me if i am wrong,

Andrew Phirsov · ‎12-28-2012

Crypto-map cannot be aplied to the tunnel interface. It doesn't make sence. Its applied to phisical interface, and specifies that all GRE traffic, that goes through that interface (i.e. tunnel traffic) should initiate IKE exchange and IPSec tunnel establishment. This is because traffic that destined to tunnel interface first gets encapsulated into gre, and then forwaredt through phisical interface.

Rudy Sanjoko · ‎12-28-2012

it seems that crypto map should be applied on the tunnel and the physical interface, please see documentation below for an example: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

Andrew Phirsov · ‎12-28-2012

Dear rudy. I've no idea why its applied on tunnel if in that doc (maybe it was so in older IOS versions - doc date is 2008 or smth else) but applying cryptomap on phisical interface is enough. Try it in GNS, if u haven't yet, and u'll see.

Rudy Sanjoko · ‎12-28-2012

let's forget the old ways and use the new ways let's see if this can help Mahesh solves his issue,

Andrew Phirsov · ‎12-28-2012

That's what i started with)))

mahesh18 · ‎12-28-2012

Hi Andrew,

Thanks for all help so far.

I removed crytomap from both sides physical interfaces and did as you said earlier.

Now OSPF nei adj is there between tunnel interfaces.

2691Router# sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

3.4.4.4 0 FULL/ - 00:00:31 10.5.1.1 Tunnel0

But now no isakmp running

2691Router#sh crypto isakmp sa

dst src state conn-id slot status

Other side

3550SMIA#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

4.4.4.4 0 FULL/ - 00:00:33 10.5.1.2 Tunnel0

Now OSPF adj is up from both sides.

What should i do next ?

Regards

Mahesh

mahesh18 · ‎12-28-2012

Hi Andrew,

After doing this my internet access from 3550 was working fine but after sometime from 3550 i am unable to ping internet

sites.

from 2691 i can ping the internet websites

3550

3550SMIA#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

3550SMIA#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.5.1.2 to network 0.0.0.0

O 192.168.12.0/24 [110/1012] via 10.5.1.2, 01:13:32, Tunnel0

100.0.0.0/32 is subnetted, 1 subnets

O 100.100.100.100 [110/1002] via 10.5.1.2, 01:13:32, Tunnel0

3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O 3.3.3.3/32 [110/1001] via 10.5.1.2, 01:13:32, Tunnel0

C 3.4.4.0/24 is directly connected, Loopback0

C 192.168.30.0/24 is directly connected, Vlan30

64.0.0.0/32 is subnetted, 1 subnets

O E2 64.59.135.150 [110/300] via 10.5.1.2, 01:13:32, Tunnel0

4.0.0.0/32 is subnetted, 1 subnets

O 4.4.4.4 [110/1001] via 10.5.1.2, 01:13:32, Tunnel0

C 192.168.10.0/24 is directly connected, Vlan10

172.31.0.0/24 is subnetted, 4 subnets

O E2 172.31.3.0 [110/300] via 10.5.1.2, 01:13:32, Tunnel0

O E2 172.31.2.0 [110/300] via 10.5.1.2, 01:13:32, Tunnel0

O E2 172.31.1.0 [110/300] via 10.5.1.2, 01:13:32, Tunnel0

O E2 172.31.0.0 [110/300] via 10.5.1.2, 01:13:32, Tunnel0

O 192.168.11.0/24 [110/1002] via 10.5.1.2, 01:13:32, Tunnel0

O 192.168.98.0/24 [110/2] via 192.168.99.1, 01:13:32, FastEthernet0/8

C 192.168.99.0/24 is directly connected, FastEthernet0/8

C 192.168.20.0/24 is directly connected, Vlan20

192.168.5.0/31 is subnetted, 1 subnets

C 192.168.5.2 is directly connected, FastEthernet0/11

C 10.0.0.0/8 is directly connected, Tunnel0

192.168.6.0/31 is subnetted, 1 subnets

O 192.168.6.2 [110/1001] via 10.5.1.2, 01:13:32, Tunnel0

O 192.168.1.0/24 [110/1012] via 10.5.1.2, 01:13:32, Tunnel0

O*E2 0.0.0.0/0 [110/1] via 10.5.1.2, 01:13:32, Tunnel0

3550SMIA#

Thanks

Mahesh

olpeleri · ‎12-28-2012

Hello,

I think I know why it fails here.

A catalyst 3550 is a switch - not a router. Even if the parser command exists, they are not meant to work.

GRE for instance is unsupported.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3550/software/release/12.2_25_seb/configuration/guide/swuncli.html

Crypto map without a crypto engine [ which is the case here] is as well not supported. U should use a real router instead.

Cheers,

mahesh18 · ‎12-28-2012

Hi olpeleri,

So You mean that GRE is not supported but IPSEC is supported on 3550.

As i am running IPSEC on 35550 and 1811W without any issues.

Thanks

Mahesh

olpeleri · ‎12-28-2012

U're lucky if it works....

Looking at the configuration guide... There is no references related to crypto.

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3550/software/release/12.2_44_se/configuration/guide/swuncli.html

Cheers.

mahesh18 · ‎12-28-2012

Hi olpeleri,

I enabled OSPF adj also between two physical interfaces and now from GRE tunnel i am able to access the internet.

3550

3550SMIA#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

4.4.4.4 10 FULL/DR 00:02:22 192.168.5.3 FastEthernet0/11

4.4.4.4 0 FULL/ - 00:00:33 10.5.1.2 Tunnel0

192.168.99.1 1 FULL/BDR 00:00:32 192.168.99.1 FastEthernet0/8

3550SMIA# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/48/52 ms

3550SMIA#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.5.3 to network 0.0.0.0

O 192.168.12.0/24 [110/13] via 192.168.5.3, 00:03:47, FastEthernet0/11

100.0.0.0/32 is subnetted, 1 subnets

O 100.100.100.100 [110/3] via 192.168.5.3, 00:03:47, FastEthernet0/11

3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

O 3.3.3.3/32 [110/2] via 192.168.5.3, 00:03:47, FastEthernet0/11

C 3.4.4.0/24 is directly connected, Loopback0

C 192.168.30.0/24 is directly connected, Vlan30

64.0.0.0/32 is subnetted, 1 subnets

O E2 64.59.135.150 [110/300] via 192.168.5.3, 00:03:47, FastEthernet0/11

4.0.0.0/32 is subnetted, 1 subnets

O 4.4.4.4 [110/2] via 192.168.5.3, 00:03:47, FastEthernet0/11

C 192.168.10.0/24 is directly connected, Vlan10

172.31.0.0/24 is subnetted, 4 subnets

O E2 172.31.3.0 [110/300] via 192.168.5.3, 00:03:47, FastEthernet0/11

O E2 172.31.2.0 [110/300] via 192.168.5.3, 00:03:47, FastEthernet0/11

O E2 172.31.1.0 [110/300] via 192.168.5.3, 00:03:47, FastEthernet0/11

O E2 172.31.0.0 [110/300] via 192.168.5.3, 00:03:47, FastEthernet0/11

O 192.168.11.0/24 [110/3] via 192.168.5.3, 00:03:47, FastEthernet0/11

O 192.168.98.0/24 [110/2] via 192.168.99.1, 00:03:47, FastEthernet0/8

C 192.168.99.0/24 is directly connected, FastEthernet0/8

C 192.168.20.0/24 is directly connected, Vlan20

192.168.5.0/31 is subnetted, 1 subnets

C 192.168.5.2 is directly connected, FastEthernet0/11

C 10.0.0.0/8 is directly connected, Tunnel0

192.168.6.0/31 is subnetted, 1 subnets

O 192.168.6.2 [110/2] via 192.168.5.3, 00:03:47, FastEthernet0/11

O 192.168.1.0/24 [110/13] via 192.168.5.3, 00:03:47, FastEthernet0/11

O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 00:03:47, FastEthernet0/11

3550SMIA#

But now 3550 shows that default router is physical interface not tunnel interfaces does this mean that GRE tunnel is not

passing traffic ?

Thanks

MAhesh

RodrigoRiveraValencia75001 · ‎04-15-2020

I was having the same error in a lab simulation. I was looking for a reason of the problem and your contribution was exceptionally useful. I stopped having the error, and at the same time your answer helped me out understanding conceptually the use of crypto ipsec profile and tunnel protection ipsec profile commands. Thank you!

Reginaldo Pires da Silva · ‎12-16-2023

Thanks, Rudy, you solved my problem here at LAB.