Encryption Fails during System Check

Similar Messages

• MDT 2012 - Image failing during system restore - C:\LTIBootstrap still there. Autologin not happening.

  Hello,
  I'm hoping someone can assist.  I have an image that was working but the builtin admin account was disabled.  I went into the image and enabled the account and set a password.  I ran sysprep and capture.  Now, when i try to deploy either
  image, it installs the OS, reboots and then sits at a login (does not go into the admin account to continue).  I login and i notice that LTIBootstrap.vbs is sitting on the root of c along with the Minint folder and other MDT folders.  I have MDT
  on 2 servers and they both do the same thing.  Unattend.xml in c:\minint has the correct local admin/password
  Customsettings.ini:
  [Settings]
  Priority=Default
  Properties=MyCustomProperties
  [Default]
  DeployRoot=\\ourserver\D$\DeploymentShare$
  ComputerBackupLocation=Network
  Home_Page=http://home
  OSInstall=Y
  SkipAdminPassword=YES
  SkipApplications=YES
  SkipAppsOnUpgrade=YES
  SkipBDDWelcome=YES
  SkipBitLocker=YES
  SkipComputerName=YES
  OSDComputerName=HDQ-%SerialNumber%
  SkipComputerBackup=YES
  SkipDeploymentType=YES
  SkipDomainMembership=YES
  JoinDomain=OurDomain
  DomainAdmin=xxxx(Account with Join domain rights)
  DomainAdminDomain= Our Domain
  DomainAdminPassword=Password for account
  SkipAdminAccounts=YES
  SkipFinalSummary=NO
  FinishAction=Reboot
  SkipLocaleSelection=YES
  KeyboardLocale=en-US
  UserLocale=en-US
  UILanguage=en-US
  SkipPackageDisplay=YES
  SkipProductKey=YES
  SkipSummary=No
  SkipTaskSequence=NO
  SkipTimeZone=YES
  TimeZoneName=Eastern Standard Time
  SkipUserData=YES
  EventService=http://OurServer:9800
  [Settings]
  Priority=Default
  [Default]
  DeployRoot=\\OurServer\D$\DeploymentShare$
  UserID=account to join to domain                                                                                                                  
  USerDomain=Our Domain
  UserPassword=Account password to join domain
  Any help would be greatly appreciated.
  Thanks
  Rick
  BDD.LOG
  <![LOG[ZTINextPhase COMPLETED.  Return Value = 0]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
  <![LOG[ZTINextPhase processing completed successfully.]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
  <![LOG[Event 41001 sent: ZTINextPhase processing completed successfully.]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="ZTINextPhase" context="" type="1" thread="" file="ZTINextPhase">
  <![LOG[Command completed, return code = -2147021886]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
  <![LOG[Property LTIDirty is now = FALSE]LOG]!><time="14:10:58.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
  <![LOG[If there is a drive letter defined, make sure we clear it now so we can *force* recalcutation.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread=""
  file="LiteTouch">
  <![LOG[Property OSDTargetDriveCache is now = DIRTY]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
  <![LOG[LTI initiating task sequence-requested reboot.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">
  <![LOG[Event 41017 sent: LTI initiating task sequence-requested reboot.]LOG]!><time="14:10:59.000+000" date="01-13-2014" component="LiteTouch" context="" type="1" thread="" file="LiteTouch">

  Hi Rick,
  To my understanding, sysprep and to be more specific the "gerenalize" step will make sure all personalized information will be removed before entering the capture mode.
  I'm aware additional created account's will be preserved, but I can't tell you about the built-in administrator account.
  The first thing that comes to mind is that, your Build task sequence uses a Unattend.xml, just the same as your Deploy task sequence does this.
  Assuming that you don't do anything you haven't mentioned with the account in the task sequence, like renaming the admin account or setting a different password during the task sequence. Cross checking both your Unattended.xml would be a good place to start.
  Also, it is known, that Windows allows the machine to be auto logged on, a couple of times. So please check if this isn't also the case. See this link for more info: http://support.microsoft.com/kb/324737
  Lastly if all else fails, you can set the account enabled, and a password by commandline, but this should only be done as a temporarily work around. See these links for more information: http://support.microsoft.com/kb/251394 and http://social.technet.microsoft.com/wiki/contents/articles/3040.enable-disable-the-local-hidden-built-in-administrator-account-in-windows-7.aspx
  Good luck!
  If this post is helpful please click "Mark for answer", thanks! Kind regards

• What happens when HTTPS communication fails during certificate check?

  Hello Experts,
  I have a scenario where a Bapi functionality(server proxy) is exposed as a webservice .
  So scenario will be SOAP -> XI -> Proxy (calls a BAPI)
  Here we are going to use HTTPS (SSL).
  I would like to know :
  What happens when a check for certificate validation fails in XI? It may be due to invalid certificate, expired certificate or a request from unauthorised user-
  - Will it be raised as a exception and we need to do some  configuration to inform it back to Sender?
  - Will the message fail in Moni with red flag ?
  - Alerts will be created ?
  Please share your experiences and expert sugestions.
  Thanks in Advance!!
  Regards,
  XI Queries.

  Hi Abhishek,
    Thanks for the reply. I will keep this in mind and design the scenario & error handling accordingly.
  Appropriate points awarded
  Kind regards,
  Xi Queries.

• CS3 Setup System Check states that Safari is open when it is closed

  Running Setup under OSX, and during System Check, alert states that "Installation cannot continue until the following applications are closed: Safari".
  I have verified that Safari is closed, and no other users logged on, but cannot satisfy this prompt.

  Closing Programs Interfering with Installation
  PC - Task Manager: (CTRL-ALT-Delete) http://support.microsoft.com/kb/323527
  Mac - Activity Monitor: http://osxdaily.com/2010/08/15/mac-task-manager/
  Error "Installation cannot continue until... Adobe Bridge is closed" | Installation | CS5
  http://helpx.adobe.com/creative-suite/kb/error-installation-cannot-continue-bridge.html

• SAP system checks

  During system checks, a Baisis administrator will check Buffer swaps under Export/Import Hit ratio, programs etc. What is the importance of checking these?

  Hi,
  Normally in SAP the buffers are used to store the SAP object/data from DB. This is done for easy access of data when the users need them, it helps to increase the performance of the system by decreasing the I/O of system i.e, when the user requests data the work process first checks the buffers for the data requsted by the user, if it finds it there then it returns to the user with the data thereby increasing the speed of the access and in turn the performance. If the data is not found in the buffer a physical access to DB is made thereby increasing the response time and lowering the performance. After the data is fetched and returned to the user a copy of the data is put into the buffer, this helps to increase the access when some other user requests the same data as said above.
  This mechanism is accomplished when you have a better buffer size, if your buffer size is very small the data put into the buffer will be pushed out to accomodate the new data, the red color indicates the no.of objects swaped out from the buffer to accomodate the new object in the buffer.
  In your case the buffers needs to be increased to accomodate more objects in them, keep in mind that performance tuning needs more analysis and skill.
  Changing Buffer parameters involves more calculations and might lead to poor performance if done wrongly or prevent the system to start since you have to restart the system in order to make the profile parameters related to buffers active.
  Please check the below links
  http://help.sap.com/saphelp_nw04/helpdata/en/c4/3a6e98505211d189550000e829fbbd/frameset.htm
  http://help.sap.com/saphelp_nw04/helpdata/EN/02/9625e3538111d1891b0000e8322f96/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/bc/4a813b680c250fe10000000a114084/content.htm
  Regards,
  Ravi

• Always failed during operating system checking while installing NetWeaver.

  I have installed NetWeaver Composition Envrionment Sneak Preview - Java EE only but always failed during operating system checking. Does this version not support Window XP Professional SP2? This is mostly used window system.

  I checked the instruction and comfirmed that it does support Window XP Professional (SP2):
  System Requirements
  <b>Windows XP Professional (Service Pack 2)</b> or Windows 2003 Server (Service Pack 1)
  <b>This version runs on Windows XP (SP2)</b> with password accounts and Windows Server 2003 (32bit)
  NTFS file system
  Micrsoft Internet Explorer 6.0 or higher, or Firefox 1.0 or higher
  Min. 1 GB, recommended 2 GB RAM
  7 GB free hard disc space
  Download file 1.8 GB
  1.5 GHz PC or higher
  Monitor 1024x768 pixels or more, 256 colors
  Internet access (for CE online documentation)
  If no DHCP server is available on your network (which dynamically determines the IP address) or your computer is not connected to any network, you need to install the virtual interface adapter MS Loopback Adapter.
  To use SAP Interactive Forms by Adobe, you must install the necessary credential file and activate it using a unique password. Download the latest credential and passwort from SDN

• Recovery failed during homognuos System copy maxdb 7.7 red hat 5.4 ECC 6.0

  Hi all,
           *Actully i have one Development Server with ECC 6.0.. + maxdb 7.7 database    OS  Red Hat 5.4.
  Please help us to what username and password we can give....i am from oracle backgroud so i am a newbie in maxdb.
  Source System
  ECC 6.0
  OS Redhat 5.4
  SAPSID   WIA
  Target system
  ECC 6.0
  OS Redhat   5.4
  SAPSID    WID
  Now i am going to Create Quality Server for my landscape using homogenoues system copy ....option in target machine...  and I have taken database backup (offline backup) also...
  But during system copy it is asking for Database recovery . For recovery i am using DATABASE MANAGER TOOL  (DBMGUI 7.6 maxdb) but it is asking for IP ,DBname username and password.
  I have given the IP and DB Name but  dont know the username  and password for the target Machine SAPSID
  Because at the time of system copy it asked for database recovery before creating the database users phase .
  I checked with xuser list from command line it is showing no values.
  Tried with the username and password given at OS level and the password for Source system but no luck.
  So what to do.....
  Please help

  Hi,
  thanks for your reply.
  I am sahil garg and amkum82 user  we both are working on the same issue.
  We both are from oracle backgroud.Newbie in maxdb.
  We have are following the 129352 note for homogenous system copy.
        2. Target system:
              b) Restore:
              Before the restore, you must initialize the target instance. This initialization formats the log area. Data volumes are only formatted if they are not configured as raw devices and are not available in the configured size.
              We dont know how to create instancefor tarhet system  in maxdb for homogenues system copy.Could you please help us out what steps needed to be executed for this.
  Thanks Regards,
  Sahil

• The user name or password is incorrect in the CRM system checks during installation

  Hi everyone
  I'm installing CRM 2013 on 2 servers (server 2012) - CRM Full server + SQL Server 2012.
  I created 2 service accounts for this - CRMSVC + CRMSANDBOX (one for sandbox and another one for all the rest).
  I'm getting the following error in the system checks during setup:
  I've verified a billion times that the service accounts and passwords are valid - I even tried using different service accounts - same problem. As for now I also added the service accounts to the local admins groups just to be sure that it's not some permissions
  issue (I also added them to the 'log on as service' & performance logs groups). 
  If i try to use NETWORK SERVICES instead of a service account - the installation goes through flawlessly - no issues at all.
  I'm also gonna say that i tried another installation on a fresh server - SAME ISSUE.
  So for now my ideas are either it's a GPO somehow blocking the service accounts - or some kind of other security issue.
  I also found out that the security event log shows these two errors when these show up in the system checks:
  Inside i found 'NULL SID' entry - it does not recognize the service accounts account and 0xC0000064 in the Sub
  Status Codes
  It's not a typo issue so don't bother - if i write a wrong password in purpose - it actually says that the password i typed for domain\service account is incorrect - here it seems that the service account is not being recognized.
  Any ideas anyone?
  Thanks
  Please vote if you find my post helpful - Thanks

  Not sure you understood my point.
  The installation process necessarily runs under the account of the installing user. The installation will query AD to identify information about the service accounts, and will add them to the relevant CRM AD groups. It is possible that the installing user
  account does not have sufficient privileges on the AD objects for the service accounts to be able to identify them, and to add them to groups. This scenario is consistent with the errors that you get, and also with being able to install CRM to run under NetworkServices
  (which doesn't have its own AD object)
  Microsoft CRM MVP - http://mscrmuk.blogspot.com/ http://www.excitation.co.uk
  Hi David
  I understand this, but as far as i know running it under NETWORK SERVICES will add the machine names to the OU security groups - hence the user installing still needs to have delegated permissions on that OU. Anyway as mentioned above - ignoring the checks
  and running the installation solved this and also added the accounts to the security groups - so this whole mess looks like some bug to me - not sure i will ever find out what it was :)
  Please vote if you find my post helpful - Thanks

• Serial Number validation during Delivery Creation itself(PGI-system checks)

  Process:
  Sales Order PR(Purchase Order) GR( New Serial Numbers are created automatically or manually keyed in)
  Once the Goods Receipt is received, we do the (SO) DELIVERYu2014SERIAL NUMBER ASSIGNMENT Post Goods Issue
  Issue:
  Current Serial Number Profile Management does not do a valid serial number check during DELIVERY CREATION where we do a SERIAL NUMBER ASSIGNMENT.
  Only during POST GOODS ISSUE, the check happens for valid serial numbers; this is too late in the game for business as there is a time lag of 3 days from the DELIVERY CREATION and PGI.
  Reason being--- We donu2019t check the following u201C Existing Stock Checku201D( which does a serial number validation during delivery creation as well)
  SPRO>Plant Maintenance and Customer Service>Master Data in Plant Maintenance and Customer Service>Technical Objects>Serial Number Management>Define Serial Number Profiles
  If we check this option, the business requirement to do a valid serial number check does happen during delivery creation, however we cannot create new serial numbers during Purchase Order- GOODS RECEIPT.
  QUESTION:
  Can we have the system check the valid serial numbers from stock during delivery creation and serial number assignment.
  And Also create new serial numbers during Purchase Order- Goods Receipt.

  Hi
  1.In std SAP its not possible to check the serail number during Delivery creation, through enhancement it can be done.
  2.During GR for PO serial numbers can be created.
  Rgds
  Ramesh

• Check HDD Part Number in Solaris 10 during System Running

  Dear all,
  Please help me,
  I want to check the part number of HDD of Sun Fire V890 Server during system is running by the Solaris OS command. Can we check that part number of HDD by solaris OS command?
  Or have other ways, except shutdown the system and unplug the HDD from the Server.
  Thanks you and Regards,
  Soret,

  The following command will list the vendor and product ID for each disk:
  iostat -EFrom [Sun Fire[tm] V890 Server, RoHS:YL - Full Components List|http://sunsolve.sun.com/handbook_private/validateUser.do?target=Systems/SunFireV890_R/components#Disks] you should be able to find the matching Manufacturing Part for a given vendor and product ID.

• Potal Authorisation Error:"Failed to connect backend system.Check your syst

  Hi Experts,
  Please advise me on how to proceed....
  I created a dashboard reports (5) based on 5 different reports in BI Queries using Visual Composer...I deployed them to portal and in portal i assigned those iviews to a role and assigned that role to a end user.
  In BW end user is autorized to execute those 5 queries and in portal user is able to access those queries as well
  But when he tried to execute Dashboard reports..it is displaying error
  "Failed to connect backend system.Check your system definition and user priviliges"
  Then i modified his authorisations in BW assigned SAP_J2EE_ADMIN role in BW and then in portal he is able to execute the Dashboard reports...by assigning the SAP_J2EE_ADMIN role he is able to execute dashboards in portal and he got more authorisation in portal than he required like 'Content Admin','User Admin' and 'System Admin'
  I tried by using SAP_J2EE_GUEST role but he is getting error
  "Failed to connect backend system.Check your system definition and user priviliges"
  Please advise on how to proceed
  Thanks

  Hi,
  Refer,
  Visual composer
  Failed to connect to backend system. Check your system definition and user
  Regards,
  P.Manivannan.

• "Failed to connect backend system.Check your system definition and user pri

  Hi Experts,
  I am a BW Consultant working on Portal & Visual Composer (7.0)
  As a Developer i got SAP_ALL & SAP_J2EE_ADMIN roles in BW and System Admin and VC role in Portal.
  In Portal Created/Published iviews for BW Queries (Transaction) and Published them to a role (role1) in portal.
  In Visual Composer i developed Dashboard reports on BW Queries ,made them public and deployed them to a portal role(role 1) in portal.
  I assigned portal role to my self and tested the queries and dashboards in portal everything is working perfectly.
  In VC i can see 3 different systems defined in Portal
  I created a Test user (with profile of end user) in BW,Testuser is authorised to view all the reports in BW and All data in all data targets and in portal testuser is assigned with Role1 and VC Role.
  (Note: In BW Testuser doesn't had J2EE_ADMIN role).
  Portal:
  When i login to portal as testuser and tries to execute the BW Queries (Transaction) and it working perfectly.
  When i tried to execute Dashboard reports developed in Visual Composer it gives me an error
  "Failed to connect backend system.Check your system definition and user priviliges"
  In Visual Composer i logged in as testuser (as test user got VC role assigned) i can't see any list of avaliable systems under "Find Data"
  When i modified testuser profile in BW and updated with SAP_J2EE_ADMIN then i can execute the dashboard report but at the same time testuser got more than what he should have like user admin,system admin...etc
  I searched the sdn and find some similar threads ...but nothing was useful
  Please update me what went wrong and how to fix this...
  Thanks in advance

  Hi,
  Refer,
  Visual composer
  Failed to connect to backend system. Check your system definition and user
  Regards,
  P.Manivannan.

• An error message appeared during system recovery which waid "failed to replace file"

  Failed to replace file C:\Program files (x86)\coupon companion\coupon companion.exe
  (Ox80070002) error during system restore.

  Do you mean you actually ''want'' Coupon Companion? It's malware, or at best, adware.
  If you can't remove Coupon Companion from your computer, first try using Malwarebytes' Anti-Malware.
  * http://www.malwarebytes.org
  If it can't get rid of it, then post in the Malware Removal section of the following forum.
  * http://forums.malwarebytes.org
  Related:
  * [[Troubleshoot Firefox issues caused by malware]]

• Site2Site Tunnel issue PSEC(epa_des_crypt): decrypted packet failed SA identity check

  Hi,
  I have a slight issue I'm having some problems resolving..
  The scenario is as follows;
  I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
  I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
  That also works fine and I have multiple SA's running on that site with no issues or problems.
  The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
  The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
  The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
  The external provider's servers are located within 192.168.220.0/24 subnet.
  As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
  However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
  So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
  Network diagram attached.. any ideas?
  This is the 1921 config:
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime
  service timestamps log datetime msec localtime
  service password-encryption
  hostname bergen-vpn-gw
  boot-start-marker
  boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
  boot-end-marker
  logging buffered 50000
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default enable
  aaa session-id common
  clock timezone CET 1
  clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
  no ipv6 cef
  no ip source-route
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name xxxxx
  multilink bundle-name authenticated
  license udi pid CISCO1921/K9 sn FCZ1508C1P4
  license boot module c1900 technology-package securityk9
  license boot module c1900 technology-package datak9
  vtp mode client
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key harakiri address 1.2.3.4
  crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
  crypto map VPN 10 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set 3DES-SHA
  match address VPN
  interface GigabitEthernet0/0
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  interface GigabitEthernet0/0.99
  description *** Test VLAN To be removed ***
  encapsulation dot1Q 99
  ip address 10.90.90.1 255.255.255.0
  no ip route-cache
  interface GigabitEthernet0/0.112
  encapsulation dot1Q 112
  ip address 192.168.112.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip route-cache
  interface GigabitEthernet0/0.150
  encapsulation dot1Q 150
  ip address 10.150.4.1 255.255.255.0
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.178
  encapsulation dot1Q 178
  ip address 192.168.178.1 255.255.255.0
  ip helper-address 172.30.1.223
  no ip redirects
  no ip proxy-arp
  no ip route-cache
  interface GigabitEthernet0/0.999
  encapsulation dot1Q 999
  no ip route-cache
  interface GigabitEthernet0/1
  ip address 1.2.3.4 255.255.255.252
  no ip redirects
  no ip proxy-arp
  no ip route-cache cef
  no ip route-cache
  duplex auto
  speed auto
  crypto map VPN
  interface FastEthernet0/0/0
  switchport access vlan 99
  interface FastEthernet0/0/1
  interface FastEthernet0/0/2
  interface FastEthernet0/0/3
  interface Vlan1
  no ip address
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip route 0.0.0.0 0.0.0.0 85.200.203.29
  ip access-list extended VPN
  permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
  permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
  permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
  permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
  permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
  ip sla 1
  icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 1 start-time now
  ip sla 2
  icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 2 start-time now
  ip sla 3
  icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 3 start-time now
  ip sla 4
  icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 4 start-time now
  ip sla 5
  icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 5 start-time now
  ip sla 6
  icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
  threshold 20
  frequency 120
  ip sla schedule 6 start-time now
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  cdp source-interface GigabitEthernet0/0.112
  snmp-server community bamacomro RO
  snmp-server community bamacomrw RW
  control-plane
  banner motd ^CCC-----------------------------------------------------------------------------
  This system is solely for the use of authorised users for official purposes.
  You have no expectation of privacy in its use and to ensure that the system
  is functioning properly, individuals using this computer system are subject
  to having all their activities monitored and recorded by system personell.
  Use of this system evidence an express consent to such monitoring and
  agreement that if such monitoring reveals evidence of possible abuse or
  criminal activity, system personell may provide the result of such
  monitoring to appropiate officials.
  -----------------------------------------------------------------------------^C
  line con 0
  exec-timeout 5 0
  logging synchronous
  line aux 0
  line vty 0 4
  access-class telnet in
  exec-timeout 180 0
  logging synchronous
  transport input telnet ssh
  line vty 5 15
  access-class telnet in
  exec-timeout 180 0
  password 7 094F471A1A0A
  logging synchronous
  transport input telnet ssh
  scheduler allocate 20000 1000
  end

  I had that issue 1 year go
  "decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
  Juniper is violating RFC4301. there is nothing we can do against RFC violation
  As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
  the SPD (or associated caches) MUST be consulted during the
  processing of all traffic that crosses the IPsec protection boundary,
  including IPsec management traffic.  If no policy is found in the SPD
  that matches a packet (for either inbound or outbound traffic), the
  packet MUST be discarded.
  I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
  Cheers,

• Getting "IPSEC(epa_des_crypt): decrypted packet failed SA identity check" messages on packets from only one of two far-end sources sharing the same tunnel, the other source works fine. What exactly does this error mean?

  One computer at COMPANY-A is attempting to communicate with two
  computers located at COMPANY-B, via an IPsec tunnel between the
  two companies.
  All communications are via TCP protocol.
  All devices present public IP addresses to one another, although they
  may have RFC 1918 addresses on other interfaces, and NAT may be in use
  on the COMPANY-B side.  (NAT is not being used on the COMPANY-A side.)
  The players:(Note: first three octets have been changed for security reasons)
  COMPANY-A computer      1.2.3.161
  COMPANY-A router        1.2.3.8 (also IPsec peer)
  COMPANY-A has 1.2.3.0/24 with no subnetting.
  COMPANY-B router        4.5.6.228 (also IPsec peer)
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  COMPANY-B has 4.5.6.0/23 subnetted in various ways.
  COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
  What works:
  The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
  tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
  The "show crypto session detail" command shows Inbound/Outbound packets
  flowing in the dec'ed and enc'ed positions.
  What doesn't:
  When the COMPANY-A computer 1.2.3.161 attempts to communicate
  via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
  the COMPANY-A router eventually reports five of these messages:
  Oct  9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  Oct  9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  and the "show crypto session detail" shows inbound packets being dropped.
  The COMPANY-A computer that opens the TCP connection never gets past the
  SYN_SENT phase of the TCP connection whan trying to communicate with the
  COMPANY-B computer #2, and the repeated error messages are the retries of
  the SYN packet.
  On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
  a 3725, and some 76xx routers were tried, all with similar behavior,
  with packets from one far-end computer passing fine, and packets from
  another far-end computer in the same netblock passing through the same
  IPsec tunnel failing with the "failed SA identity" error.
  The COMPANY-A computer directs all packets headed to COMPANY-B via the
  COMPANY-A router at 1.2.3.8 with this set of route settings:
  netstat -r -n
  Kernel IP routing table
  Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
  4.5.7.0         1.2.3.8         255.255.255.0   UG        0 0          0 eth3
  1.2.3.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
  10.1.0.0        0.0.0.0         255.255.240.0   U         0 0          0 eth0
  169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth3
  10.0.0.0        10.1.1.1        255.0.0.0       UG        0 0          0 eth0
  0.0.0.0         1.2.3.1         0.0.0.0         UG        0 0          0 eth3
  The first route line shown is selected for access to both COMPANY-B computers.
  The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
  configuration:
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  lifetime 28800
  crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
  crypto ipsec security-association lifetime seconds 86400
  crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
  crypto map COMPANY-BMAP1 10 ipsec-isakmp
  description COMPANY-B VPN
  set peer 4.5.6.228
  set transform-set COMPANY-B01
  set pfs group2
  match address 190
  interface FastEthernet0/0
  ip address 1.2.3.8 255.255.255.0
  no ip redirects
  ip virtual-reassembly
  duplex auto
  speed auto
  no cdp enable
  crypto map COMPANY-BMAP1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 1.2.3.1
  ip route 10.0.0.0 255.0.0.0 10.1.1.1
  ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
  access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
  access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
  bridge 1 protocol ieee
  One of the routers tried had this IOS/hardware configuration:
  Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
  RELEASE SOFTWARE (fc2)
  isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
  Processor board ID XXXXXXXXXXXXXXX
  R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
  2 FastEthernet interfaces
  4 ATM interfaces
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of NVRAM.
  31296K bytes of ATA System CompactFlash (Read/Write)
  250368K bytes of ATA Slot0 CompactFlash (Read/Write)
  Configuration register is 0x2102
  #show crypto sess
  Crypto session current status
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:06:26:27
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
          Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
    IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
  Version 6.1 (ScreenOS)
  We only have a limited view into the Juniper device configuration.
  What we were allowed to see was:
  COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
  set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
  set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx  proposal "pre-g2-3des-sha"
  set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
  set policy id 2539 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
  set policy id 2500 from "Trust" to "Untrust"  "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
  set policy id 2541 from "Trust" to "Untrust"  "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
  set policy id 2540 from "Untrust" to "Trust"  "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
  COMPANY-B-ROUTER(M)->
  I suspect that this curious issue is due to a configuration setting on the
  Juniper device, but neither party has seen this error before.  COMPANY-B
  operates thousands of IPsec VPNs and they report that this is a new error
  for them too.  The behavior that allows traffic from one IP address to
  work and traffic from another to end up getting this error is also unique.
  As only the Cisco side emits any error message at all, this is the only
  clue we have as to what is going on, even if this isn't actually an IOS
  problem.
  What we are looking for is a description of exactly what the Cisco
  IOS error message:
  IPSEC(epa_des_crypt): decrypted packet failed SA identity check
  is complaining about, and if there are any known causes of the behavior
  described that occur when running IPsec between Cisco IOS and a Juniper
  SSG device.  Google reports many other incidents of the same error
  message (but not the "I like that IP address but hate this one" behavior),
  and not just with a Juniper device on the COMPANY-B end, but for those cases,
  not one was found where the solution was described.
  It is hoped that with a better explanation of the error message
  and any known issues with Juniper configuration settings causing
  this error, we can have COMPANY-B make adjustments to their device.
  Or, if there is a setting change needed on the COMPANY-A router,
  that can also be implemented.
  Thanks in advance for your time in reading this, and any ideas.

  Hello Harish,
  It is believed that:
  COMPANY-B computer #1   4.5.7.94 (this one has no issues)
  COMPANY-B computer #2   4.5.7.29 (this one fails)
  both have at least two network interfaces, one with a public IP address
  (which we are supposedly conversing with) and one with a RFC 1918 type
  address.   COMPANY-B is reluctant to disclose details of their network or
  servers setup, so this is not 100% certain.
  Because of that uncertainty, it occurred to me that perhaps COMPANY-B
  computer #2 might be incorrectly routing via the RFC 1918 interface.
  In theory, such packets should have been blocked by the access-list on both
  COMPANY-A router, and should not have even made it into the IPsec VPN
  if the Juniper access settings work as it appears they should.  So I turned up
  debugging on COMPANY-A router so that I could see the encrypted and
  decrypted packet hex dumps.
  I then hand-disassembled the decoded ACK packet IP header received just
  prior to the "decrypted packet failed SA check" error being emitted and
  found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
  in the unecapsulated packet.  I also found the expected port numbers of the TCP
  conversation that was trying to be established in the TCP header.  So, it
  looks like COMPANY-B computer #2 is emitting the packets out the right
  interface.
  The IP packet header of the encrypted packet showed the IP addresses of the
  two routers at each terminus of the IPsec VPN, but since I don't know what triggers
  the "SA check" error message or what it is complaining about, I don't know what
  other clues to look for in the packet dumps.
  As to your second question, "can you check whether both encapsulation and
  decapsulation happening in 'show crypto ipsec sa'",   the enc'ed/dec'ed
  counters were both going up by the correct quantities.  When communicating
  with the uncooperative COMPANY-B computer #2, you would also see the
  received Drop increment for each packet decrypted.  When communicating
  with the working COMPANY-B computer #1, the Drop counters would not
  increment, and the enc'ed/dec'ed would both increment.
  #show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:54
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
          Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
  Attempt a TCP communication to COMPANY-B computer #2...
  show crypto sess det
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
  Interface: FastEthernet0/0
  Session status: UP-ACTIVE
  Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 4.5.6.228
        Desc: (none)
    IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
            Capabilities:(none) connid:1 lifetime:07:59:23
    IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
          Active SAs: 2, origin: crypto map
          Inbound:  #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
          Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
  Note Inbound "drop" changed from 5 to 6.  (I didn't let it sit for all
  the retries.)
  #show crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
     remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
     current_peer 4.5.6.228 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
      #pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 3, #recv errors 6
       local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0xDF2CC59C(3744253340)
    inbound esp sas:
        spi: 0xD9D2EBBB(3654478779)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0xDF2CC59C(3744253340)
          transform: esp-3des esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
          sa timing: remaining key lifetime (k/sec): (4458307/28600)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:
  The "send" errors appear to be related to the tunnel reverting to a
  DOWN state after periods of inactivity, and you appear to get one
  each time the tunnel has to be re-negotiated and returned to
  an ACTIVE state.  There is no relationship between Send errors
  incrementing and working/non-working TCP conversations to the
  two COMPANY-B servers.
  Thanks for pondering this very odd behavior.