We have several IPSEC tunnels to all kinds of different routers. When I enable "debug crypto ipsec" I get occasional messages like this:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
I know what it means and how to solve it, but unfortunately there is no reference to what SA it is related to.
Is there really no way to get this information? Anything pointing to the source of the problem would be welcome... (remote IP address, SA number, etc)
Try debug crypto isakmp
Sorry but isakmp is not related to these errors...
Is this a router or Firewall?
Debug crypto isakmp and ipsec are both good ways to f> jwil wrote:
not working or has errors. They just work for different phases of the tunnel. Maybe you should try to use a higher level of debug i.e debug crypto ipsec 100.
It is a router.
100 is not a valid option for debug crypto ipsec. That is exactly the kind of thing I am looking for: some option to have more debug output. But I cannot find it.I have only this message: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
I know what it means but I want to know what is the packet that is not matching so that I can change the access list on the correct peer.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.