Unanswered Question
Mar 20th, 2007
User Badges:


we use two Routers with Site-To-Site VPN.One site with static ip the other site with dynamic ip.Sometimes we get an error-message on the router.

The error-message is:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xAA221071(2854359153), srcaddr=x.x.x.x.

At this time no traffic goes through the tunnel.

We use IOS 12.4.9 T1

Any idea for this problem.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
puagarwa Tue, 03/20/2007 - 17:12
User Badges:

this message is due to the fact that one side is holding the IPSec SA and the other side does not have similar IPSec SA's, so definitely traffic will not pass.

You should make sure that the lifetimes for both phase 1 and phase 2 are exactly the same on both the sides.

Also the following command should us, put it in global configuration mode on both the routers:

crypto isakmp invalid-spi-recovery

MICHAEL RUCKER Tue, 03/20/2007 - 23:45
User Badges:

Thank you puagarwa for answering.

The lifetimes for both phase are the same,and I have already configured

crypto isakmp invalid-spi-recovery

any other ideas ?


This Discussion