«

We have several IPSEC tunnels to all kinds of different routers.
When I enable "debug crypto ipsec" I get occasional messages like this:

IPSEC(epa_des_crypt): decrypted packet failed SA identity check

I know what it means and how to solve it, but unfortunately there
is no reference to what SA it is related to.

Is there really no way to get this information?
Anything pointing to the source of the problem would be welcome...
(remote IP address, SA number, etc)

jwil <> wrote:
> Try debug crypto isakmp
>
>
> On 03 Oct 2012 07:41 AM ,Rob <> wrote:
>> We have several IPSEC tunnels to all kinds of different routers.
>> When I enable "debug crypto ipsec" I get occasional messages like this:
>>
>> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
>>
>> I know what it means and how to solve it, but unfortunately there
>> is no reference to what SA it is related to.
>>
>> Is there really no way to get this information?
>> Anything pointing to the source of the problem would be welcome...
>> (remote IP address, SA number, etc)

Sorry but isakmp is not related to these errors...

jwil <> wrote:
> Is this a router or Firewall?
>
> Debug crypto isakmp and ipsec are both good ways to find out why the tunnel is not working or has errors. They just work for different phases of the tunnel. Maybe you should try to use a higher level of debug i.e debug crypto ipsec 100.

It is a router.
100 is not a valid option for debug crypto ipsec.
That is exactly the kind of thing I am looking for: some option to
have more debug output. But I cannot find it.

I have only this message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check

I know what it means but I want to know what is the packet that is not
matching so that I can change the access list on the correct peer.