Invalid Security Parameter Index

Unanswered Question
Sep 25th, 2008
User Badges:


We have implemented DMVPN on all our local office using static routes as the rule on which interesting traffic to use the tunnel.

On the HUB router, we have local office connecting to our DMVPN. Our international office is connected via normal GRE Tunnel for the mean time.

This solution has been running since December 2007 and recently we have been getting a lot of error logs on the HUB

003169: Sep 26 2008 14:04:34.570 EST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=DMVPN HUB, prot=50, spi=0xF02E779F(4029577119), srcaddr=DMVPN SPOKE

I have program "crypto isakmp invalid-spi-recovery" on the global command and we are still getting the error after clear the IKE and IPSec SAs

Help please...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smahbub Wed, 10/01/2008 - 09:12
User Badges:
  • Silver, 250 points or more

Error Message - %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[int], prot=[dec], spi=0x[hex]([dec]), (ONEMIN)

Explanation - A received IPSEC packet specifies an SPI that does not exist in the security association database (SADB). This may be a temporary condition resulting from slight differences in the aging of SAs between the IPSEC peers, or because the local SAs have been cleared. It may also be caused by bogus packets being sent by the IPSEC peer. Some might consider this a hostile event.

Recommended Action - If the local SAs have been cleared, the peer may not know this. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.


This Discussion