Search this Blog

Wednesday, December 9, 2009

The user receives the " %VPN_HW-1-PACKET_ERROR:slot: 0 errors " error message

Our users get this error message when VPN service module is used on a Cisco router with IOS version 12.4

Resolution

Verify the cause of the problem by disabling the cef switching by issuing these commands:
(conf)# no ip cef
(conf-if)# no ip route-cache
(conf-if# no ip mroute-cache

For a workaround, issue these commands:
change tcp adjust-mss on interfaces
change crypto ipsec df-bit

This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.

These are the reasons for this message:
  1. Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
  2. Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.
This is a notification message seen on the console of the decrypting peer that tells the user that IPSec packets have been received out of order.

These are the reasons for this message:

1. Fragmentation. Fragmented crypto packets are process switched. This forces the fast-switched packets to be sent to the VPN card ahead of the process-switched packets. If enough fast-switched packets are processed ahead of the process-switched packets, the ESP or AH sequence number for the process-switched packet will get stale, and when the packet arrives at the VPN card, it's sequence number is outside of the replay window. This causes either the AH or ESP sequence number errors, depending on which encapsulation you are using.
2. Stale cache entries. This instance can also occur when a fast-switch cache entry gets stale, and the first packet with a cache miss gets process switched.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

4 comments :

  1. vest vpn service http://www.bestvpnservice.com/

    ReplyDelete
  2. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. best vpn services

    ReplyDelete
  3. I admit, I have not been on this web page in a long time... however it was another joy to see It is such an important topic and ignored by so many, even professionals. professionals. I thank you to help making people more aware of possible issues. China VPN

    ReplyDelete
  4. I really appreciate this wonderful post that you have provided for us. I assure this would be beneficial for most of the people. VPN China

    ReplyDelete

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */