Yes I have active vpn tunnels on my PIX. How it can influence to my scheme?

What PIX version do you have?

PIX 515E

Cisco PIX Security Appliance Software Version 7.0(1)

I have attached debug without deleting access-list. After deleting access-list on c2811 vpn tunnel rised up. Bat atfter I reload c871 and vpn again not rising up from c2811

so... Was it working?

try to add on both sides

ctypto isakmp keepalive 10

crypto isakmp invalid-spi-recovery

after that do

clear crypto sa

clear crypto isa sa

Yes I have added crypto isakmp invalid-spi-recovery previously

and vpn tunnel worked, bat in scheme http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008045a2d2.shtml no crypto isakmp invalid-spi-recovery What do this line? How mach this config safe and stable?

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_invald_index_rec_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Yes I have read this guid and this confuse me

If an IKE SA is being initiated to notify an IPSec peer of an "Invalid SPI" error, there is the risk that a denial-of-service (DoS) attack can occur. The feature has a built-in mechanism to minimize such a risk, but because there is a risk, the feature is not enabled by default. You must enable the command using command-line interface (CLI).

Can vpn work without crypto isakmp invalid-spi-recovery? I think c871 don't detect NAT

did you save the config?