Is IPSec SA removed when related tunnel I/F goes to down ?

Unanswered Question
Sep 4th, 2007

Hi everyone,

Router received "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for" message.

I understand this message means that the router received an IPSec packet with a SPI that does not exit in the local SA database.

This router is connecting to the IPSec peer via GRE tunnel and when this message displayed on the router, router's tunnel interface went to down and then up but the physical interface (tunnel source interface) remained up, not go down.

My question is,

Is SPI/IPSec SA removed from local SA database when the related tunnel interface down ?


I understand IPSec SA lifetime is not "zero clearing" by sending matched (against crypto map) packet same as dialer idle time, this means IPSec SA lifetime only decrement from the configured timer (default 3600 seconds) even if the matched packet send to peer.

Is my understanding is true ?

Your information would be appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Mon, 09/10/2007 - 14:04

If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local

router, the two peers may reestablish connection successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

nefkensp Fri, 09/14/2007 - 08:14

If you enable the ISAKMP keepalive option, then both peers will recognize that the interface on either side went down for a brief moment of time (if a keepalive timeout occurs). If that happens, the tunnel will be brought down on both sides and will reestablish again if interesting traffic passes by

Hope this helps.


This Discussion