Hi,
I've been receiving this error messages for quite sometime now. Did some searching and found an article in the cisco website. Dont know much about VPN, so im not sure if my configs are correct. Appreciate your help
Error Message:
Jun 27 13:35:16.459 EDT: %HIFN79XX-1-ERROR: chifn79xx_crypto_callback() toolkit return failure
Jun 27 13:35:16.459 EDT: %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x20000, Hifn79xx_PktEngReturn_MACMiscompare
Here is the article:
Cross-Platform Release Notes for Cisco IOS Release 12.3 T, Part 5: Caveats" book.
CSCee12666
Symptoms: On a Cisco 83X router with crypto engine accelerator enabled, the router fails to authenticate packets when AH authentication is used without any ESP in transport mode. The following logs can be seen on the console for every packet that fails.
%HIFN79XX-1-ERROR: chifn79xx_crypto_callback() toolkit return failure %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x10000, Hifn79xx_PktEngReturn_Overflow.
-Traceback= 80975F10 80984E60 809847B4 809820E8 80980C1C 80973C00 8017D968 801F4F1C 8017D8F0 801F4D7C 802E61D0 802E4D0C 802E50CC 802E5114 802F4360 802F6AF0
Conditions: This only happens when ah-sha-hmac or ah-md5-hmac is used alone without any encryption in the transform set. It also happens only in transport mode. IPSec in Tunnel mode works fine with this transform set.
Workarounds: The following are only needed if using transport mode: 1. Use any ESP transforms along with the AH authentication. (or) 2. Use any ESP transforms without the AH authentication.
And my router config:
crypto isakmp policy 4
authentication pre-share
crypto isakmp key 0 cdnbw4ll-nyf1x address 0.0.0.0 0.0.0.0
crypto isakmp identity hostname
!
!
crypto ipsec transform-set nyfxvpn esp-3des esp-md5-hmac
mode transport
!
crypto map vpn local-address Ethernet1
crypto map vpn 1 ipsec-isakmp
set peer X.X.X.X
set transform-set nyfxvpn
match address cdvpn
crypto map vpn 2 ipsec-isakmp
set peer X.X.X.X
set transform-set nyfxvpn
match address nbvpn
Thanks
I've been receiving this error messages for quite sometime now. Did some searching and found an article in the cisco website. Dont know much about VPN, so im not sure if my configs are correct. Appreciate your help
Error Message:
Jun 27 13:35:16.459 EDT: %HIFN79XX-1-ERROR: chifn79xx_crypto_callback() toolkit return failure
Jun 27 13:35:16.459 EDT: %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x20000, Hifn79xx_PktEngReturn_MACMiscompare
Here is the article:
Cross-Platform Release Notes for Cisco IOS Release 12.3 T, Part 5: Caveats" book.
CSCee12666
Symptoms: On a Cisco 83X router with crypto engine accelerator enabled, the router fails to authenticate packets when AH authentication is used without any ESP in transport mode. The following logs can be seen on the console for every packet that fails.
%HIFN79XX-1-ERROR: chifn79xx_crypto_callback() toolkit return failure %HIFN79XX-1-PKTENGRET_ERROR: Hifn79xx PktEng Return Value = 0x10000, Hifn79xx_PktEngReturn_Overflow.
-Traceback= 80975F10 80984E60 809847B4 809820E8 80980C1C 80973C00 8017D968 801F4F1C 8017D8F0 801F4D7C 802E61D0 802E4D0C 802E50CC 802E5114 802F4360 802F6AF0
Conditions: This only happens when ah-sha-hmac or ah-md5-hmac is used alone without any encryption in the transform set. It also happens only in transport mode. IPSec in Tunnel mode works fine with this transform set.
Workarounds: The following are only needed if using transport mode: 1. Use any ESP transforms along with the AH authentication. (or) 2. Use any ESP transforms without the AH authentication.
And my router config:
crypto isakmp policy 4
authentication pre-share
crypto isakmp key 0 cdnbw4ll-nyf1x address 0.0.0.0 0.0.0.0
crypto isakmp identity hostname
!
!
crypto ipsec transform-set nyfxvpn esp-3des esp-md5-hmac
mode transport
!
crypto map vpn local-address Ethernet1
crypto map vpn 1 ipsec-isakmp
set peer X.X.X.X
set transform-set nyfxvpn
match address cdvpn
crypto map vpn 2 ipsec-isakmp
set peer X.X.X.X
set transform-set nyfxvpn
match address nbvpn
Thanks
