PIX 501 IPSEC errors

- P
- Paddy
  
  Contact options for registered users
posted
17 years ago

Fri, Oct 13, 2006 6:11 PM

Get the following from "show crypto ipsec sa":

#pkts encaps: 1365731, #pkts encrypt: 1365731, #pkts digest 1365731 #pkts decaps: 1742544, #pkts decrypt: 1742544, #pkts verify 1742544 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 6, #recv errors 84028

Get the following from "debug crypto ipsec":

IPSEC(sw_esp_decap): authenticate failed IPSEC(cipher_ipsec_request): decap failed for xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy

Connection is up, but is slow.

Loading thread data ...

- D
- Darren Green
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Sat, Oct 14, 2006 4:13 PM

Hi Paddy,

What is at the other end of this tunnel - router ??? / VPN Client.

Do you have an errors in your buffer /logs on either end of the tunnel - invalid SPI info perhaps making the VPN re-negotiate because a packet was received out of sync

Slow connections can sometimes suggest MTU issues. Do you find that smaller file sizes are OK but bigger transfers are problematic. Does the speed differ through the day ?

How does the link perform without encryption - is it possible to find out

General questions

Has anything changed recently, has anyone changed any of the phase 1/2 associations (unlikely I am sure) as you have indicated that it is working. Has the ISP done anything ? Do your crypto access-list and nonat access-lists tie up at either end.

If you can supply the above and maybe a little more detail, perhaps someone more knowledgeable will be able to assist.

Regards

Darren

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.