more detail in IPSEC debugging?

Discussion in 'Cisco' started by Rob, Oct 3, 2012.

  1. Rob

    Rob Guest

    We have several IPSEC tunnels to all kinds of different routers.
    When I enable "debug crypto ipsec" I get occasional messages like this:

    IPSEC(epa_des_crypt): decrypted packet failed SA identity check

    I know what it means and how to solve it, but unfortunately there
    is no reference to what SA it is related to.

    Is there really no way to get this information?
    Anything pointing to the source of the problem would be welcome...
    (remote IP address, SA number, etc)
     
    Rob, Oct 3, 2012
    #1
    1. Advertisements

  2. Rob

    Rob Guest

    Sorry but isakmp is not related to these errors...
     
    Rob, Oct 7, 2012
    #2
    1. Advertisements

  3. Rob

    Rob Guest

    It is a router.
    100 is not a valid option for debug crypto ipsec.
    That is exactly the kind of thing I am looking for: some option to
    have more debug output. But I cannot find it.

    I have only this message:
    IPSEC(epa_des_crypt): decrypted packet failed SA identity check

    I know what it means but I want to know what is the packet that is not
    matching so that I can change the access list on the correct peer.
     
    Rob, Oct 8, 2012
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.