Drop Code 338(Octeon Decryption Failed for inbound packet): Site to Site IPSec VPN

Description

Drop Code 338(Octeon Decryption Failed for inbound packet): Site to Site IPSec VPN no traffic between SNWL firewall and Mikrotik device.

 

Site to Site IPSec VPN was set up between SonicWall and Mikrotik. On SonicWall there are multiple VLANs created under X0 and X3 with different zones of trusted type:

172.16.15.0/255.255.255.0 VLAN 15 (VPNinternal) 
172.16.255.0/255.255.255.0 VLAN 20 (admin/mgmt) 
172.16.100.0/255.255.255.0 VLAN 100 (voice) 
172.16.8.0/255.255.255.0 VLAN 11 (pc/printer) 
172.16.0.0/255.255.255.0 VLAN 12 (servers) 

When set VPN Source as 172.16.0.0/16 (as LAN) and changed the zones to LAN, everything works fine. However, when created an address group for all 5 VLAN networks, then SonicWall dropped reply packet as Octeon Decryption failed. Checked the configuration on SonicWall and it looks correct.

Resolution

In this case the issue is due to the setting of the option Level under IP | IPsec | Policy in Mikrotik device. It should be unique rather than require which is by default. 
ImageThe Level options specified as below:

level (require | unique | use; Default:require)Specifies what to do if some of the SAs for this policy cannot be found:
  • use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
  • require - drop packet and acquire SA
  • unique - drop packet and acquire a unique SA that is only used with this particular policy



So make sure you set level of the IPsec Policy to 'unique' for each subnet in Mikrotik device if you create an address group object on far end SonicWall. 

 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community