%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an

Vikrant Ambhore · ‎02-14-2011

Hi All Friends,

All is working fine but when Spoke rouer Started or rebooted I am always getting below error On HUB Router,

I think it's issue regarding ISAKMP Policy, I read somewhere, Policy should be same on Both end, but I saw on our config, spoke router is using default policy, there is some different about policy, although I'm not 100% sure, anyone help me for fixed this issue.

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an
IPSEC packet.
(ip) vrf/dest_addr= /XX.XX.XX.XX, src_addr= XX.XX.XX.XX, prot= 47

Jennifer Halim · ‎02-14-2011

Protocol 47 is GRE, so it looks like when the spoke router just get restarted, the packet that is received by the HUB router is just the GRE as the IPSec might not fully establish yet. Once the IPSec tunnel is up and running, you shouldn't see that error messages anymore as the GRE will be encrypted in IPSec.

BTW, it has nothing to do with the ISAKMP policy as it wouldn't work if the policy doesn't match. The fact that it works fine and you are just seeing the error as the spoke reloaded is due to the explaination provided above.

Hope that answers your question.

Vikrant Ambhore · ‎02-14-2011

That means, I do not need to worry?

Will it work fine

Jennifer Halim · ‎02-15-2011

To confirm it is working OK, check the status of the IPSec:

Phase 1: show cry isa sa --> if you see QM_IDLE, it's good.

Phase 2: show cry ipsec sa --> if you are seeing packet being encrypted and decrypted, it's good.

dsw · ‎07-26-2018

This is could also be as a result of the ipsec profile not being applied to your Tunnel interface via the:

!tunnel protection ipsec profile "profilename"command.

Sometimes, it can be a bit overwhelming when you're performing all of the steps for your tunnel configuration.

Cheers,

Jay K.