Crypto 4 recvdpktmacerr

VPN blunders – %CRYPTO-four-RECVD_PKT_MAC_ERR: decrypt: mac confirm failed

Getting this mistake on the choices statistics middle 2581 (12.four(24)T) from a GRE/IPSEC tunnel, far flung branch is 2811 strolling 12.4(25d)

%CRYPTO-four-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection identification=

The tunnel has been up and operating okay for months, not anything has changed on the config and the secret’s correct. Traffic is following but far off users are complaining of overall performance troubles. A wireshark indicates checksum mistakes and masses of packet resends. Remote ISP has checked the circuit and says its smooth.

The records centre router has pretty some tunnels but simplest 1 causing this problem. From the head give up b x.x.x.x

   current_peer x.x.x.xport 500     PERMIT, flags=    #pkts encaps: 15129, #pkts encrypt: 15129, #pkts digest: 15129    #pkts decaps: 13346, #pkts decrypt: 13346, #pkts confirm: 13346    #pkts compressed: zero, #pkts decompressed: zero    #pkts not compressed: zero, #pkts compr. failed: 0    #pkts no longer decompressed: 0, #pkts decompress failed: zero    #ship errors 1, #recv mistakes 1992

Can a VPN module pass horrific like this? I’ve tried disabling the department onboard engine and the use of software program however it would not assist. Any ideas?

This is probable as a result of packet corruption inside the transit community, which isn’t all that unusual. To prove it, you could setup packet seize on the choices WAN facet in front of each tunnel end point. You may also try this with the EPC (embedded packet seize) characteristic that changed into introduced to IOS in 12.4(20)T and later. Make positive you growth the packet buffer so you can evaluate the choices entire packet. As soon as you see an MAC error logged on the router, stop the choices capture on both facets, and use the ip identification, esp seq numbers to identifiy the choices packet in question from both captures. You can then evaluate them through printing the choices the packets to a report and doing a diff on them. If the choices packets are indeed equal, then you may want to open a TAC case to look if there’s any acknowledged software/hardware problems which could cause this.