Cisco – VPN Issues From A 6509
I’m doing IPSec tunnels from a 6509 at a remote facility to an ASA. The tunnel would establish, traffic would send from the 6500 to the remote client, the remote client would answer, but it would never go back through the 6500…strange.
I noticed that the ASA said that the connection was using NAT traversal, which it shouldn’t…both of these devices were sitting on public address space. I also notice the following message in my logs:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection
I tried many things, but the fix turned out to be disabling NAT-T on the 6500… apparently it is buggy. Issue the following command for happiness:
no crypto ipsec nat-transparency udp-encapsulation