Symptom
UDP traffic is getting dropped, TCP connections are working fine.
In the logs router generates below messages:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=XXXX spi=XXXXXXXX seqno=XXXXXXXX
In the "show crypto ipsec sa detail | include verify" "#pkts verify" counter is increasing
Conditions
"ip rtp header-compression iphc-format" and crypto map is configured under the same interface.
Workaround
Remove "ip rtp header-compression iphc-format"
Further Problem Description
If "ip rtp header-compression iphc-format" is configured, ESP sequence number gets corrupted leading later to MAC calculation failure. Packet gets corrupted on the sending node, not the one that generates %CRYPTO-4-RECVD_PKT_MAC_ERR syslog message.
