Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
5
Replies

IPSEC

ivargasg
Level 1
Level 1

‎10-11-2023 09:20 AM 

I had an IPSEC tunnel on a CISCO 2900 and when migrating to an ISR4331 it gave me the following logs, we did not notice any failure but the logs were very constant


Oct 11 09:14:56.204: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000335908828989009 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:15:56.244: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000335968872008736 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:16:56.284: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336028915034258 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:17:56.324: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000336088958008277 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:18:56.364: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336149000951275 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:19:56.404: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336209044117017 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:20:56.444: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336269087004912 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:21:56.484: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336329129924427 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17
Oct 11 09:22:56.524: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:001 TS:00000336389172876293 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 224.0.0.2, src_addr= 192.168.177.50, prot= 17




 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎10-11-2023 09:29 AM

@ivargasg the traffic was sent in clear text, instead of encrypted. It looks like the multicast address 224.0.0.2 is used to send HSRP hello messages. Are you using HSRP or is HSRP used by the ISP?

Provide your configuration if you wish to us to review further.

0 Helpful

ivargasg
Level 1
Level 1
In response to Rob Ingram

‎10-11-2023 11:14 AM

Yes, ISP used HSRP 

crypto isakmp policy 1
encryption aes
hash sha256
authentication pre-share
group 2
lifetime 400
crypto isakmp key tecamac_cat address 198.18.10.1
!
!
!
!
crypto gdoi group group1
identity number 1
server address ipv4 198.18.10.1
!
!
crypto map gdoimap gdoi fail-close
match address bypass_acl
!
crypto map map-group1 local-address Loopback80
crypto map map-group1 10 gdoi
set group group1
!
!
!
!
!
interface Loopback80
description INTERFACE CRYPTO
ip address 198.18.10.12 255.255.255.255
interface Tunnel1
ip address 5.5.5.2 255.255.255.252
tunnel source 192.168.177.2
tunnel destination 192.168.165.182
!
interface GigabitEthernet0/0/0
description CLIENT:CPE:WAN TECAMAC:0
bandwidth 20000
ip flow monitor FLOW-MONITOR-IRV input
ip flow monitor FLOW-MONITOR-IRV output
ip address 192.168.177.50 255.255.255.248
ip nbar protocol-discovery
load-interval 30
negotiation auto
crypto map map-group1
service-policy output QOS_20_15_55_5_20M
!
interface GigabitEthernet0/0/1
description CLIENT:CPE:LAN TECAMAC:0
ip flow monitor FLOW-MONITOR-IRV input
ip flow monitor FLOW-MONITOR-IRV output
ip address 17.3.3.158 255.255.255.0
standby 1 ip 17.3.3.150
standby 1 priority 110
standby 1 preempt
standby 1 track 321 decrement 20
ip tcp adjust-mss 1360
load-interval 30
speed 100
no negotiation auto
no cdp enable
!
router bgp 64775
bgp log-neighbor-changes
neighbor 10.10.250.2 remote-as 11172
neighbor 10.10.250.2 ebgp-multihop 2
!
!
route-map SetLocalPreference permit 10
set local-preference 100
!

0 Helpful

MHM Cisco World
VIP
VIP

‎10-11-2023 09:31 AM

Normally acl for IPsec will not allow multicast.

But it can issue of you use any in acl of IPsec' do you use any ?

0 Helpful

ivargasg
Level 1
Level 1
In response to MHM Cisco World

‎10-11-2023 11:18 AM 

Yes, the ACL is downloaded from the Key Server

ACL Downloaded From KS 198.18.10.1:
access-list deny udp any port = 848 any port = 848
access-list deny tcp any any port = 22
access-list deny tcp any port = 22 any
access-list deny tcp any any port = 49
access-list deny tcp any port = 49 any
access-list deny tcp any any port = 179
access-list deny tcp any port = 179 any
access-list deny ospf any any
access-list deny eigrp any any
access-list deny udp any any port = 123
access-list deny udp any port = 123 any
access-list deny udp any any port = 161
access-list deny udp any port = 161 any
access-list deny udp any any port = 162
access-list deny udp any port = 162 any
access-list deny udp any any port = 514
access-list deny udp any port = 514 any
access-list deny ip 10.190.0.0 0.0.255.255 any
access-list deny ip any 10.190.0.0 0.0.255.255
access-list deny ip host 17.1.5.179 any
access-list deny ip any host 17.1.5.179
access-list deny ip host 17.5.1.179 any
access-list deny ip any host 17.5.1.179
access-list deny ip host 17.5.7.179 any
access-list deny ip any host 17.5.7.179
access-list deny ip host 17.5.7.180 any
access-list deny ip any host 17.5.7.180
access-list deny ip host 17.50.1.179 any
access-list deny ip any host 17.50.1.179
access-list deny ip host 17.50.1.180 any
access-list deny ip any host 17.50.1.180
access-list deny ip host 17.70.1.179 any
access-list deny ip any host 17.70.1.179
access-list deny ip host 17.70.1.180 any
access-list deny ip any host 17.70.1.180
access-list deny ip host 10.29.5.180 any
access-list deny ip any host 10.29.5.180
access-list deny ip host 10.29.5.181 any
access-list deny ip any host 10.29.5.181
access-list deny ip host 17.5.12.31 any
access-list deny ip any host 17.5.12.31
access-list deny ip host 17.70.1.175 any
access-list deny ip any host 17.70.1.175
access-list permit ip 10.3.5.0 0.0.0.255 any
access-list permit ip any 10.3.5.0 0.0.0.255
access-list permit ip 10.13.5.0 0.0.0.255 any
access-list permit ip any 10.13.5.0 0.0.0.255
access-list permit ip 17.3.5.0 0.0.0.255 any
access-list permit ip any 17.3.5.0 0.0.0.255
access-list permit ip 17.23.1.0 0.0.0.255 any
access-list permit ip any 17.23.1.0 0.0.0.255
access-list permit ip 17.50.1.0 0.0.0.255 any
access-list permit ip any 17.50.1.0 0.0.0.255
access-list permit ip 17.70.1.0 0.0.0.255 any
access-list permit ip any 17.70.1.0 0.0.0.255
access-list permit ip 10.31.5.0 0.0.0.255 any
access-list permit ip any 10.31.5.0 0.0.0.255
access-list permit ip 10.33.5.0 0.0.0.255 any
access-list permit ip any 10.33.5.0 0.0.0.255
access-list permit ip 10.43.5.0 0.0.0.255 any
access-list permit ip any 10.43.5.0 0.0.0.255
access-list permit ip 10.53.5.0 0.0.0.255 any
access-list permit ip any 10.53.5.0 0.0.0.255
access-list permit ip 10.63.5.0 0.0.0.255 any
access-list permit ip any 10.63.5.0 0.0.0.255
access-list permit ip 10.73.5.0 0.0.0.255 any
access-list permit ip any 10.73.5.0 0.0.0.255
access-list permit ip 10.53.4.0 0.0.0.255 any
access-list permit ip any 10.53.4.0 0.0.0.255
access-list permit ip 192.168.177.48 0.0.0.7 any
access-list permit ip any 192.168.177.48 0.0.0.7
access-list permit ip 192.168.140.240 0.0.0.7 any
access-list permit ip any 192.168.140.240 0.0.0.7
access-list permit ip 10.78.1.0 0.0.0.255 any
access-list permit ip any 10.78.1.0 0.0.0.255
access-list permit ip 10.63.7.0 0.0.0.255 any
access-list permit ip any 10.63.7.0 0.0.0.255
access-list permit ip 10.83.1.0 0.0.0.255 any
access-list permit ip any 10.83.1.0 0.0.0.255

KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 8109
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 752

TEK POLICY for the current KS-Policy ACEs Downloaded:
GigabitEthernet0/0/0:
IPsec SA:
spi: 0xBB5674A0(3143005344)
transform: esp-aes esp-sha256-hmac
sa timing:remaining key lifetime (sec): (20556)
Anti-Replay(Counter Based) : 64
tag method : disabled
alg key size: 16 (bytes)
sig key size: 32 (bytes)
encaps: ENCAPS_TUNNEL


KGS POLICY:
REG_GM: local_addr 198.18.10.16

P2P POLICY:
REG_GM: local_addr 198.18.10.16

 

0 Helpful

Rob Ingram
VIP
VIP
In response to ivargasg

‎10-11-2023 01:06 PM

@ivargasg modify your ACL to explicitly deny traffic to/from that multicast address. Obviously make sure it's above the permit ACE.

0 Helpful
Customers Also Viewed These Support Documents