cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
689
Views
0
Helpful
4
Replies

Packet NOT IPSEC

amontini
Level 1
Level 1

I've a large VPN with encryption 3DES, on my remote site I've a Cisco 1720(IOS 12.2.YA2) with ADSL or ISDN, at the center I've a 7204VXR (IOS 12.1.10aE4)with accelerator card. The VPN work properly but sometimes the 1720 recive an error :

"%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) dest_addr= xxx.xxx.xxx.xxx, src_addr= yyy.yyy.yyy.yyy, prot= 6" when this error occurs my telnet 3270 session remain blocked for 1-2 minutes.

I've disabled the route cache on twice router but the problem is no resolved.

Does anybody have suggest for me ?

Thanks

Gionata

4 Replies 4

paqiu
Level 1
Level 1

Is that 1720 router have VPN accelerator card installed ?

If it is , "no cypto engine accelerator" to disable the VPN module see the problem still there or not. Turn it on, simplely "crypto engine acce" in the "config t" mode.

Are you doin Hud and spoke design or fully meshed VPN network ?

Sometimes this is because the large numbers VPN peers' phase 1 ISAKMP SA timeout and rekey in the same time, it might cause 1-2 minutes timeout ?

You can disble the "PFS" settings to reduce the phase 1 rekey.

Best Regards,

Hi,

The 1720 haven't the accelerator card. My VPN is an extranet VPN.

The problem occur during an established IPSec session not in startup phase. Concernig the possibiity to disable the PFS I think that this operation have impact on the all VPN because I must change the policy on all my extranet router, it's correct ?

Best Regards

This is not a problem. Don't worry about it. Non IPSec packets will not be able to pass through the Router to the LAN. My guess is that these packets relate to phase 1 SA initialization offers which have to clear, because no encryption policy has been established yet.

Sorry bat I've this problem during an IPSec session, not only in a phase 1 SA init. and when this occur the client are blocked for 1-2 minutes. Can occur this non IPSec packets when the lifetime is ended and the router re-negotiation new SA ?

Thanks for your collaboration and sorry for my poor english

Gionata