Router received "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for" message.
I understand this message means that the router received an IPSec packet with a SPI that does not exit in the local SA database.
This router is connecting to the IPSec peer via GRE tunnel and when this message displayed on the router, router's tunnel interface went to down and then up but the physical interface (tunnel source interface) remained up, not go down.
My question is,
Is SPI/IPSec SA removed from local SA database when the related tunnel interface down ?
I understand IPSec SA lifetime is not "zero clearing" by sending matched (against crypto map) packet same as dialer idle time, this means IPSec SA lifetime only decrement from the configured timer (default 3600 seconds) even if the matched packet send to peer.
Is my understanding is true ?
Your information would be appreciated.