cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1211
Views
0
Helpful
5
Replies

ISM-VPN-39 Issues

queirozlindolfo
Level 1
Level 1

Hi Team,

 

We are migrating a WAN circuit connected to our router 3945 to another carrier. The strategy was to connect the the new circuit to a new interface gi2/0, configure everything and then shutdown the current interface gi0/0.

 

After doing this, we started to receive errors in the log related to encryption:

 

Apr 14 16:48:18.838 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x2120A2,SPI=0x8856B73
Apr 14 16:49:28.981 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x236118,SPI=0x8856B73
Apr 14 16:50:06.102 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x249A96,SPI=0x8856B73
Apr 14 16:50:24.352 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=169.40.12.9, prot=50, spi=0x16B4E901(380954881), srcaddr=169.40.12.2, input interface=GigabitEthernet2/0
Apr 14 16:51:07.976 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x26CA68,SPI=0x8856B73
Apr 14 16:51:46.525 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1452,sequence number=0x284536,SPI=0x8856B73

 

This router has the encryption card ISM-VPN-39, but, as far as we know, this card acts globally in the box, and not associated with an specific interface or slot.

However, for testing purposes we connected the new circuit to the interface gi0/0 and the errors immediately stopped.

 

NAME: "WAN Interface Card - HWIC Serial 2T on Slot 0 SubSlot 0", DESCR: "WAN Interface Card - HWIC Serial 2T"

PID: HWIC-2T           , VID: V02 , SN: FOC13501YCQ

 

NAME: "Internal Services Module - Crypto Engine on Slot 0", DESCR: "Internal Services Module - Crypto Engine"

PID: ISM-VPN-39        , VID: V02 , SN: FOC18203AHZ

 

NAME: "2 SFP GE SM on Slot 2", DESCR: "2 SFP GE SM"

 

Can you please advise?

 

Thanks,

Lindolfo

 

5 Replies 5

Looks like the SPIs are mismatched.  Do you have access to the remote site to check the SPIs there?

--
Please remember to select a correct answer and rate helpful posts

Hi Marius,

Thanks for your answer!

Yes, I have. May you please share the commands you want to see the output to check this?

 

 

show crypto ipsec sa address xxx.xxx.xxx.xxx | include spi|outbound|inbound

Where xxx.xxx.xxx.xxx is the public IP of the remote site.

Post the output for both sites.

--
Please remember to select a correct answer and rate helpful posts

Marius,

 

In the IOS release I´m running, is not possible to specify the address, instead of it, I got the output specifying the tunnel interface ok?

 

We have two tunnels to different locations, using the carriers´s MPLS.

 

Please note that now, we are not seeing the errors message since we mover the new circuit to the old interface.

 

Find attached the requested outputs, as well as a diagram of this infrastructure.

Strange...the SPIs are correct at both ends...Is this output taken when the switchover to the new connection was made? or while the existing / working connection is up?

You are correct that the the encryption module should work globally.

Did you try clearing the VPN to re-establish it when you were trying to switch to the new connection?

--
Please remember to select a correct answer and rate helpful posts