Vpn configurtaion issues

1fox2go
Topic Author
Offline
New Member

13 years 7 months ago #35451 by 1fox2go

Vpn configurtaion issues was created by 1fox2go

Hello. I am working on setting up a VPN and I am getting this error message.

"Received encrypted packet with no matching SA, dropping"

I am fairly new to this so any help would be great. I can also do any show * commands if anyone needs to see anything.

Thanks

Chris
Offline
Administrator

13 years 7 months ago #35466 by Chris

Replied by Chris on topic Re: Vpn configurtaion issues

1fox2go,

Can you please post both router configurations so we can check it for you ?

Thanks.

Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx

1fox2go
Topic Author
Offline
New Member

13 years 7 months ago #35467 by 1fox2go

Replied by 1fox2go on topic Re: Vpn configurtaion issues

I can post the config on my end. The remote site is using a Checkpoint ng R55 for their side.

I am also getting these errors when I view the log viewer in ASDM.

Received Oakley Main mode packet with invalid payloads
Warning: Had problems decrypting packet, probably due to mis-matched pre shared key, switching user to tunnel group. DefaultL2L Group
Error: Had problems decrypting packet, probably due to mismatched key, Aborting
Received encrypted packet with no matching SA, dropping

I know I have the correct Pre shared key on my side, they confirm that it is correct on their end

1fox2go
Topic Author
Offline
New Member

13 years 7 months ago #35471 by 1fox2go

Replied by 1fox2go on topic Re: Vpn configurtaion issues

Actually now I believe the issue is 2 of the same VPNs trying to connect at one time. Myself and the remote site technician made the decision to remove the vpn and rebuild it. I discovered today that after removing the tunnel-group, access-lists and crypto map associated with their IP that the tunnel is still up.

How can I remove the VPN completely and start over? Thanks

Losh
Offline
Senior Member

13 years 7 months ago #35476 by Losh

Replied by Losh on topic Re: Vpn configurtaion issues

I was thinkn about ur slight problem & what i was thinking is that there were multiple Security Associations (S.A) tied 2 the same traffic defined by the crypto map. That means that the router on the other end is also receiving the same message. If ur thinkn of setting up new S.As then copy & paste ur config on a text editor,remove what u dont need then copy paste the new config to ur router,save to memory & reload. It always works 4 me.

~ Networking :- Just when u think its starting to make sense......... ~
____________________________________________
CCNA, CCNP, CCNA Security, JNCIA, APDS, CISA

1fox2go
Topic Author
Offline
New Member

13 years 7 months ago #35492 by 1fox2go

Replied by 1fox2go on topic Re: Vpn configurtaion issues

Yea problem is this is a production box and I cant reload it during the day. And the kicker is, I cant work with the guys on the VPN at night due to time zone differences

Anywho, I put a TAC in with cisco and got the issue resolved. Even he was unsure as to why the ASDM would not build the tunnel

So instead of using the next crypto map number in series we jumped way ahead to 200 and it fixed the issue.