Site to Site VPN going down frequently with error "encryption failure: According to the policy the packet should not have been decrypted."

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk97612
Technical Level
Product	IPSec VPN
Version	All
OS	Gaia, SecurePlatform
Platform / Model	All
Date Created	19-Jan-2014
Last Modified	21-May-2019

Symptoms

Packet Drops in SmartView Tracker: "encryption failure: According to the policy the packet should not have been decrypted."
Third Party firewall (Dell Sonic) shows following error:
Received notify: ISAKMP_AUTH_FAILED
Received unencrypted packet in crypto active state

Cause

Site-to-Site VPN Troubleshooting on SonicWALL Security Appliances Tech Note (p.15) states:

Received notify: ISAKMP_AUTH_FAILED = Responder is reporting that preshared key is mismatched. Check settings on both peers.

There are other Check Point Firewall or Interoperable (Non-Check Point Firewall) objects with the same external IP address and encryption domain as the peer. Packets from the peer firewall are accepted, decrypted, and then dropped because the Check Point Firewall receiving the traffic cannot determine which firewall sent the packet.

Solution

Note: To view this solution you need to Sign In .