Link to home
Start Free TrialLog in
Avatar of hussainha
hussainha

asked on

2811 Cisco Router error message

Hi,

I connect a Cisco 2811 router (IOS Version 12.4(23)) with 3845 cisco router with crypto and its working fine but i get this error message:
"%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=3007 local=172.22.26.2 remote=172.22.23.2 spi=EE87FE61 seqno=000001F5"
I tried every thing to get rid of this message but no luck, any help please?
Current configuration : 6581 bytes
!
! Last configuration change at 08:17:21 UTC Sat Nov 1 2008 by hani
! NVRAM config last updated at 07:45:08 UTC Sat Nov 1 2008 by hani
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RASUKAHA_WSHOP0001
!
boot-start-marker
boot-end-marker
!
logging buffered 5000 debugging
enable secret 5 
!
no aaa new-model
!
!
ip cef
!         
!
ip domain name yourdomain.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 180 attempts 3 within 100
login delay 1
login quiet-mode access-class 199
login on-failure
login on-success
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!         
!
!
!
crypto pki trustpoint TP-self-signed-3200864679
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3200864679
 revocation-check none
 rsakeypair TP-self-signed-3200864679
!
!
crypto pki certificate chain TP-self-signed-3200864679
 certificate self-signed 01
  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33323030 38363436 3739301E 170D3038 31313138 31363330 
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32303038 
  36343637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C953 771B6408 F64F17ED 406F1786 1FF17A5B 81DAB810 E2004414 A0841D09 
  7D38D1CA 117D65C6 41ED8DBD BAD4FA01 31312EF1 F029D327 A5D37247 6AAFF182 
  06490F93 EC771370 587267CD 3D59CD89 FB4900F1 5707D9A7 076E4DFA BE271C73 
  3E0948E2 7A7D3F95 E63DA424 642E7451 09CBF829 26749A07 A1A0AE40 A6F58173 
  E9EB0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
  03551D11 04253023 82215241 53554B41 48415F57 53484F50 30303031 2E796F75 
  72646F6D 61696E2E 636F6D30 1F060355 1D230418 30168014 BD7E014C 60054C57 
  F9E32356 09878205 B5285F2C 301D0603 551D0E04 160414BD 7E014C60 054C57F9 
  E3235609 878205B5 285F2C30 0D06092A 864886F7 0D010104 05000381 810004D7 
  6BAB0344 C5EBED92 7C2FA67A 383164CA 5EF2387A 8599CBDF 6234E39E 76EAE51D 
  0F4F1111 D0580FC8 0A6BDC0E F186A85A 96FD5DD6 F6D83A02 037CE4C1 B5AAAF18 
  AD9EAC00 FB2E8A7D 4F14ACAA 7B7A4341 67DE337F 790A74C3 1E020D38 F47CEF2E 
  3154CC23 8922AE64 9D5A9223 8E28D15F 6BC7DB81 A74BDF53 BD6EDC70 3E81
  quit
username
username!
!
! 
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key VPN@petro address 172.22.20.2
crypto isakmp key VPN@petro address 172.22.23.2
!
!
crypto ipsec transform-set proposal3 esp-des esp-md5-hmac 
crypto ipsec transform-set proposal4 esp-des esp-md5-hmac 
!
crypto map s3second 3 ipsec-isakmp 
 set peer 172.22.20.2
 set transform-set proposal3 
 match address 123
!
crypto map s4second 4 ipsec-isakmp 
 set peer 172.22.23.2
 set transform-set proposal4 
 match address 124
!
!
!
!
interface Tunnel1
 ip address 172.3.3.6 255.255.255.252
 shutdown
 tunnel source 172.22.20.60
 tunnel destination 172.22.20.20
 crypto map s3second
!
interface Tunnel2
 ip address 172.3.3.10 255.255.255.252
 tunnel source 172.22.26.2
 tunnel destination 172.22.23.2
 crypto map s4second
!
interface Tunnel11
 ip address 192.168.100.2 255.255.255.252
 tunnel source 172.22.26.2
 tunnel destination 172.22.20.2
 crypto map s3second
!
interface FastEthernet0/0
 description LAN Gateway
 ip address 172.25.1.50 255.255.0.0
 no ip route-cache cef
 no ip route-cache
 duplex full
 speed 100
 no cdp enable
!
interface FastEthernet0/1
 description VSAT Connection
 ip address 172.22.26.2 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex full
 speed 100
 no cdp enable
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Tunnel2
ip route 172.17.0.0 255.255.0.0 192.168.100.1
ip route 172.20.0.0 255.255.0.0 Tunnel2
ip route 172.22.20.0 255.255.255.0 172.22.26.1
ip route 172.22.23.0 255.255.255.0 172.22.26.1
!
!
no ip http server
ip http authentication local
ip http secure-server
!         
!
logging trap notifications
logging 172.17.1.88
access-list 1 permit 212.100.196.128 0.0.0.31
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 99 permit 172.17.0.0 0.0.255.255
access-list 99 permit 212.100.196.128 0.0.0.31
access-list 99 deny   any log
access-list 123 remark Riy-Sokh
access-list 123 remark SDM_ACL Category=20
access-list 123 permit ip 172.25.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 123 permit ip host 172.22.26.2 host 172.22.20.2
access-list 123 permit ip host 192.168.100.2 host 192.168.100.1
access-list 124 permit ip 172.25.0.0 0.0.255.255 172.20.0.0 0.0.255.255
access-list 124 permit ip host 172.22.26.2 host 172.22.23.2
access-list 124 permit gre host 172.3.3.10 host 172.3.3.9
access-list 198 permit tcp 172.20.0.0 0.0.255.255 any eq telnet
access-list 199 permit tcp 172.17.0.0 0.0.255.255 any eq telnet log-input
access-list 199 permit tcp host 212.100.196.145 any eq telnet log-input
snmp-server community MaadeNST RO 1
snmp-server enable traps tty
no cdp run
!         
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^CCCCCCCCCC
                                                  ======================
                                                         WARNING                   
                                                  ======================
          
If you are an unauthorized user LOG OFF NOW, all unauthorized access will be prosecuted to the full extent of the law
          
This is a private Network Device. This resource including all related equipment, networks and network devices, are provided for 
authorized use. This systems are monitored for all lawful purposes, including ensuring authorized use
          
The monitoring on this system may include audits by authorized personnel to test or verify the validity, security and su
rvivability of this system. During monitoring information may be examined, recorded, copied and used for authorized purposes.
 All
Evidence of unauthorized use collected during monitoring will be used for criminal prosecution by Company IT staff, legal counsel a
nd law enforcement agencies
.^C
!
line con 0
 password 7  login local
line aux 0
line vty 0 4
 access-class 198 in
 password 7  login local
 transport input telnet
line vty 5 15
 access-class 198 in
 password 7 
 login local
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Open in new window

Avatar of bkepford
bkepford
Flag of United States of America image

Have you tried to use the "no ip route-cache" on the tunnel interfaces on both routers.
Avatar of hussainha
hussainha

ASKER

Yes i tried but still no luck, i tried it even on the physical interface but still nothing
Once you disable fast switching (no ip route-cache) you nay need to reload the routers.
 
ASKER CERTIFIED SOLUTION
Avatar of hussainha
hussainha

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial