VPN question for Cisco 2811

Unanswered Question

Hi,

Sometimes,Our vpn tunnel is offten disconnected. so at that time, i captured logs as followings.

Please let me know what this means

My E-mail : [email protected]

Thanks.

*Jul 16 10:11:50 GMT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=10.185.32.222, prot=50, spi=0xEFA48265(4020535909), srcaddr=192.168.34.1

*Jul 16 10:11:50 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from 192.168.34.1 has no SA and is not an initialization offer

*Jul 16 10:11:56 GMT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

Jul 18 07:23:27 GMT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=2

Jul 19 00:48:37 GMT: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jsivulka Thu, 11/01/2007 - 07:59

It is great idea to capture the logs. The meanings of the error are following:

1. %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([dec])

A received IPSec packet specifies an SPI that does not exist in SADB. This may be a temporary condition because of slight differences in the aging of SAs between the IPSec peers or because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec peer. This activity could be considered a hostile event.

Recommended Action: If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

2. %CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer

IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action: Contact the remote peer and the administrator of the remote peer.

3. %CRYPTO-4-PKT_REPLAY_ERR: [chars] connection id=[dec]

The replay processing has failed. The failed replay processing may be a temporary condition caused by the wait for new SAs to be established. In the inbound case, this error might also be caused by an actual replay attack. This activity can be considered a hostile event.

Recommended Action: If the problem appears to be more than a transient one, contact the peer administrator.

4. %LINEPROTO-5-UPDOWN: Line protocol on Interface [chars], changed state to [chars]

The data link level line protocol has changed state.

Recommended Action: No action is required

Actions

This Discussion