more detail in IPSEC debugging?

Discussion in 'Cisco' started by Rob, Oct 3, 2012.

  1. Rob

    Rob Guest

    We have several IPSEC tunnels to all kinds of different routers.
    When I enable "debug crypto ipsec" I get occasional messages like this:

    IPSEC(epa_des_crypt): decrypted packet failed SA identity check

    I know what it means and how to solve it, but unfortunately there
    is no reference to what SA it is related to.

    Is there really no way to get this information?
    Anything pointing to the source of the problem would be welcome...
    (remote IP address, SA number, etc)
    Rob, Oct 3, 2012
    #1
    1. Advertising

  2. Rob

    Rob Guest

    jwil <> wrote:
    > Try debug crypto isakmp
    >
    >
    > On 03 Oct 2012 07:41 AM ,Rob <> wrote:
    >> We have several IPSEC tunnels to all kinds of different routers.
    >> When I enable "debug crypto ipsec" I get occasional messages like this:
    >>
    >> IPSEC(epa_des_crypt): decrypted packet failed SA identity check
    >>
    >> I know what it means and how to solve it, but unfortunately there
    >> is no reference to what SA it is related to.
    >>
    >> Is there really no way to get this information?
    >> Anything pointing to the source of the problem would be welcome...
    >> (remote IP address, SA number, etc)


    Sorry but isakmp is not related to these errors...
    Rob, Oct 7, 2012
    #2
    1. Advertising

  3. Rob

    Rob Guest

    jwil <> wrote:
    > Is this a router or Firewall?
    >
    > Debug crypto isakmp and ipsec are both good ways to find out why the tunnel is not working or has errors. They just work for different phases of the tunnel. Maybe you should try to use a higher level of debug i.e debug crypto ipsec 100.


    It is a router.
    100 is not a valid option for debug crypto ipsec.
    That is exactly the kind of thing I am looking for: some option to
    have more debug output. But I cannot find it.

    I have only this message:
    IPSEC(epa_des_crypt): decrypted packet failed SA identity check

    I know what it means but I want to know what is the packet that is not
    matching so that I can change the access list on the correct peer.
    Rob, Oct 8, 2012
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Kiessling

    Catalyst debugging

    Michael Kiessling, Jul 17, 2003, in forum: Cisco
    Replies:
    2
    Views:
    4,100
    jmcdonou
    Jul 9, 2007
  2. Rod
    Replies:
    0
    Views:
    3,727
  3. KR
    Replies:
    5
    Views:
    891
  4. Replies:
    3
    Views:
    1,247
    Lutz Donnerhacke
    Jul 29, 2006
  5. Tim

    RAW vs JPEGs - Does RAW show more detail?

    Tim, Jun 24, 2006, in forum: Digital Photography
    Replies:
    117
    Views:
    1,732
    Aaron
    Apr 17, 2007
Loading...

Share This Page