This page is dedicated to the VPN errors that may be seen on a Cisco router running IOS.

%CRYPTO-6-IKMP_SA_NOT_OFFERED: Remote peer %151 responded with attribute [chars] not offered or changed

- ISAKMP peers negotiate with a policy by the initiating peer offering a list of possible protection suites. The responder replied with an ISAKMP policy the initiator did not offer. Contact the remote end administrator and request a policy check.

%CRYPTO-6-IKMP_SA_NOT_AUTH: Cannon accept Quick Mode exchange from %15i if SA is not authenticated

- The ISAKMP SA with the remote peer was not authenticated, yet the peer attempted to begin quick mode exchange. This exchange can only be done with an authenticated SA. Contact the remote peer administrator to ensure phase 1 policies match.

 ”%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=#.

- This error is a result of reordering in transmission medium (especially if parallel paths exist), or unequal paths of packet processing inside Cisco IOS for large versus small packets plus under load. Change the transform-set to reflect this. The reply check is only seen when transform-set esp-md5-hmac is enabled. In order to surpress this error message, disable esp-md5-hmac and do encryption only. If the connection ID is 2000 then this could aslo be part of a known bug which affect some older IOS, without going into details just upgrade to release 12.0(6.5)T05 or above.

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main Mode failed with peer at xx.xx.xx.xx

-  A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE. This also means that main mode has failed. Verify phase 1 policies and all attributes match

%MOTCR-1-PKTENGRET_ERROR: MOTCR PktEng Return Value = 0×20000,  PktEngReturn_MACMiscompare

- This is reported during a failure of the verification of the HMAC on the ipsec packet. Theses errors are not uncommon and can be ignored if there is only a few, large amounts may indicate a problem with the crypto accelerator.

IPSEC(initialize_sas): Invalid proxy IDs 

- Indicates that the access lists do not match up at both ends, most commmon when one side supernets and the other uses individual addresses.

%CRYPTO-4-RECVD_PKT_INV_IDENTITY

- This error will be seen as part of a known bug where in a multiple peer environment the packets may be encrypted with the wrong SA’s and delivered to the wrong peers. An IOS upgrade is recommended.

Whilst investigating the errors associated with VPN negotiation I came accross the following book:

It has a useful section on phase 1 and phase 2 negotiations along with sample errors and working configs. It also guides you step by step on how to configure your vpn, worth a read if you are new to this! and a good refresher course for those who are not.

This entry was posted on Thursday, January 3rd, 2008 at 1:49 pm and is filed under Error Guides. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.