ESP packets dropped due to Decryption Failure

Description

VPN Packets from overlapping networks may be dropped with the following message

DROPPED, Drop Code: 426(Decryption Failed MAC compare), Module Id: 20(ipSec)

Cause

The firewall may drop packets if a packet is received, from a remote location, where the IP address matches an ARP entry of a firewalled client. 

For example, if the following IPSec SA were to be established then it is possible that packets from 192.168.11.100 could be dropped if the receiving firewall already contains an ARP entry for 192.168.11.100 in its ARP cache.

Ipsec SA #:

Local Network: range 192.168.3.0 - 192.168.254.255

Remote Network: net 192.168.11.0 mask 255.255.255.0


Resolution

For this reason it is advisable to avoid overlapping networks when using network ranges.  KB 170817123531353 shows how to mitigate against overlapping networks.

Related Articles

  • Web Proxy Forwarding is not Supported to a Server on the LAN
    Read More
  • アプリケーション制御を使用して ICMP(Ping)をブロックする方法
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More

Categories

Firewalls
NSa Series
Firewalls
TZ Series
not finding your answers?
Ask the Community