esp_error in the 60C firewall

hi, there are several situations where esp errors come - hmac validation failing, ipsec sa not in sync etcs, or could be internal crypto hardware error. you work with tac on this. HTH

Qs: What' s the error specifically? Is it L2L-ipsec L2TP-ipsec, or remote-access ? All of the above will require a different analysis and view. fwiw; if you search here on packet analysis with tshark/wireshark and my screen name. A post came around with something similar but with openswan. What I would do; 1: match your proxy-id-mask ( quick mode selectors ) between both devices 2: reduce your proposals ( if you want AES192 only , only install that proposal ). It makes no sense in a l2l vpn to have numerous proposal imho. if it' s remote-access dialup, you will most likely have multiples of proposals. More so with L2TP-ipsec. 3: grab a packet capture of the phase2 SA and match the out spi to the other guys in spi and vice-versa ( they should match ) diag vpn tunnel commands are your friends :) 4: SA timeout intervals don' t have to match ( Each SA is uni-directional ) but I would use a shorten SA-interval so you can ensue the SAs are working right and re-negoiation after a timeout. 5: I would also do the same on the phase-1 SA ( ike )