Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
thread35-658905
- Thread starter vince62s
- Start date
- Thread starter
- #3
I replicated this
except that my PIX is 6.2
it works fine each time I clear crypto sa, but at expiration of ipsec lifetime, it renegociates, looks fine but then loses tunnel.
debuging on PIX gives nothing
debuging on router says:
%CRYPTO .. replay error.
then I removed the esp-md5-hmac in transfor set but new error at rekey:
%CRYPTO ...bad length.
then I tried to avoid IKE and have a manual IPSEC conf:
router gives an error:
%..manual stuffing...no valide engine ...id 0
any idea?
is 12.0(7)T buggy ?
except that my PIX is 6.2
it works fine each time I clear crypto sa, but at expiration of ipsec lifetime, it renegociates, looks fine but then loses tunnel.
debuging on PIX gives nothing
debuging on router says:
%CRYPTO .. replay error.
then I removed the esp-md5-hmac in transfor set but new error at rekey:
%CRYPTO ...bad length.
then I tried to avoid IKE and have a manual IPSEC conf:
router gives an error:
%..manual stuffing...no valide engine ...id 0
any idea?
is 12.0(7)T buggy ?
NetworkGhost
IS-IT--Management
Try taking repalcing this:
esp-md5-hmac
with:
esp-sha-hmac
Here is the Bug:
Release Notes
When you configure output interfaces with fast switching on a Cisco 1700
series router, IP Security (IPSec) traffic might report replay errors for
certain packets because IPSec decryption connection identifiers are not
saved correctly when the packets are coalesced from protocol control
information (PCI) memory to DRAM. The replay errors usualy appear in incoming
traffic. A Media Access Control (MAC) verify failure error might also appear.
There is no workaround.
You may want to do this during a change window because you will need to clear the isakmp and ipsec sa's.
esp-md5-hmac
with:
esp-sha-hmac
Here is the Bug:
Release Notes
When you configure output interfaces with fast switching on a Cisco 1700
series router, IP Security (IPSec) traffic might report replay errors for
certain packets because IPSec decryption connection identifiers are not
saved correctly when the packets are coalesced from protocol control
information (PCI) memory to DRAM. The replay errors usualy appear in incoming
traffic. A Media Access Control (MAC) verify failure error might also appear.
There is no workaround.
You may want to do this during a change window because you will need to clear the isakmp and ipsec sa's.
- Thread starter
- #5
Thanks, I will try. However my router is a 2621 router. does it make a difference?
Also I did not enable fastswitching, I think.
I will try, it does not hurt.
do I have to change also the hash method too ?
(line : isakmp policy 21 hash md5)
- Thread starter
- #7
NetworkGhost
IS-IT--Management
You are a few revs behind on both the Pix and the Router. Is there a reason? Try upgrading your Router if you can. I think the latest rev out is 12.4. Check out your hardware requirments. I would also upgrade the Pix if possible.
- Status