PIX 501 IPSEC errors

Discussion in 'Cisco' started by Paddy, Oct 13, 2006.

  1. Paddy

    Paddy Guest

    Get the following from "show crypto ipsec sa":

    #pkts encaps: 1365731, #pkts encrypt: 1365731, #pkts digest 1365731
    #pkts decaps: 1742544, #pkts decrypt: 1742544, #pkts verify 1742544
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 84028

    Get the following from "debug crypto ipsec":

    IPSEC(sw_esp_decap): authenticate failed
    IPSEC(cipher_ipsec_request): decap failed for xxx.xxx.xxx.xxx -> yyy.yyy.yyy.yyy

    Connection is up, but is slow.
     
    Paddy, Oct 13, 2006
    #1
    1. Advertising

  2. Paddy

    Darren Green Guest

    "Paddy" <> wrote in message
    news:...
    > Get the following from "show crypto ipsec sa":
    >
    > #pkts encaps: 1365731, #pkts encrypt: 1365731, #pkts digest 1365731
    > #pkts decaps: 1742544, #pkts decrypt: 1742544, #pkts verify 1742544
    > #pkts compressed: 0, #pkts decompressed: 0
    > #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed:
    > 0
    > #send errors 6, #recv errors 84028
    >
    > Get the following from "debug crypto ipsec":
    >
    > IPSEC(sw_esp_decap): authenticate failed
    > IPSEC(cipher_ipsec_request): decap failed for xxx.xxx.xxx.xxx ->
    > yyy.yyy.yyy.yyy
    >
    > Connection is up, but is slow.
    >

    Hi Paddy,

    What is at the other end of this tunnel - router ??? / VPN Client.

    Do you have an errors in your buffer /logs on either end of the tunnel -
    invalid SPI info perhaps making the VPN re-negotiate because a packet was
    received out of sync

    Slow connections can sometimes suggest MTU issues. Do you find that smaller
    file sizes are OK but bigger transfers are problematic. Does the speed
    differ through the day ?

    How does the link perform without encryption - is it possible to find out

    General questions

    Has anything changed recently, has anyone changed any of the phase 1/2
    associations (unlikely I am sure) as you have indicated that it is working.
    Has the ISP done anything ? Do your crypto access-list and nonat
    access-lists tie up at either end.

    If you can supply the above and maybe a little more detail, perhaps someone
    more knowledgeable will be able to assist.

    Regards


    Darren
     
    Darren Green, Oct 14, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex
    Replies:
    3
    Views:
    891
    Guest
    May 12, 2004
  2. Andre
    Replies:
    7
    Views:
    814
    Andre
    Feb 20, 2005
  3. xman
    Replies:
    4
    Views:
    4,768
    Walter Roberson
    May 16, 2005
  4. Replies:
    4
    Views:
    3,188
  5. AM
    Replies:
    0
    Views:
    681
Loading...

Share This Page