VPN between Cisco 1841 and NGX 61
larkspur
Member Posts: 235
I have my ipsec vpn sites with split tunnel config on cisco routers and terminate to CP NGX 61 boxes.
I monitor site availbily via icmp requests (what's up gold).
the issue
serveral times a day I get notifcatiosn that teh private netowrk is not responded. So when i check the logs i see
Encryption Scheme: IKE
VPN Peer Gateway:
Subproduct: VPN
VPN Feature: IKE
Information: encryption failure: Unknown SPI: 0x1085dd79 for IPsec packet.
Action: Drop
Protocol: 50
Source:
Destination:
Information: encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found
Number: 659119
Date: 7Jun2007
Time: 13:34:53
Product: VPN-1 Power/UTM
Interface: eth1
Origin: fw
Type: Log
Action: Drop
Protocol: 50
Source: 1.1.1.1 - spoke site
Destination: 2.2.2.2 - hub site
Information: encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found
I have checked the cisco side and see similar error but then the tunnel estabilshes and life continues goes on. The packets are encrypted\decrypted from both side for 2 to 6 hours then this happens again.
any idea's?
any insight is gratefully welcomed....
I monitor site availbily via icmp requests (what's up gold).
the issue
serveral times a day I get notifcatiosn that teh private netowrk is not responded. So when i check the logs i see
Encryption Scheme: IKE
VPN Peer Gateway:
Subproduct: VPN
VPN Feature: IKE
Information: encryption failure: Unknown SPI: 0x1085dd79 for IPsec packet.
Action: Drop
Protocol: 50
Source:
Destination:
Information: encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found
Number: 659119
Date: 7Jun2007
Time: 13:34:53
Product: VPN-1 Power/UTM
Interface: eth1
Origin: fw
Type: Log
Action: Drop
Protocol: 50
Source: 1.1.1.1 - spoke site
Destination: 2.2.2.2 - hub site
Information: encryption fail reason: Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found
I have checked the cisco side and see similar error but then the tunnel estabilshes and life continues goes on. The packets are encrypted\decrypted from both side for 2 to 6 hours then this happens again.
any idea's?
any insight is gratefully welcomed....
just trying to keep it all in perspective!
Comments
-
Ahriakin Member Posts: 1,799 ■■■■■■■■□□It sounds like it's just notifying you, redundantly, of the tunnel break down while the SA's are renegotiated. It should happen periodically based on your configured SA lifetime (which can usually be set in either Bytes used or Time), if you are seeing it happen after different amounts of time then I'd say your SA is configured for Bytes transferred.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
larkspur Member Posts: 235Ahriakin - Thank you for your response.
I will teak on the config. I would perfer SA to be set by time.just trying to keep it all in perspective! -
JoeJensen Member Posts: 1 ■□□□□□□□□□I've noticed that I have similar entries in my Cisco 1841 router logs as well in the past, but everything seems to be working. I'll recommend Ahriakin's advice and ignore it unless somebody notices a problem for anybody else who see's this.
Joe Jensen
webmaster
Read my Cisco 1841 router review