VPN error invalid spi urgent help

Unanswered Question
Dec 29th, 2008

we are running MPLS VPN using Tunnel0 interface , we go the frequent below error message in router conole , it seems clinet end router holding old SA, it is not refereshed. pl advise, urgent

INCDR#

*Dec 29 09:19:11.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x2968B91(43420561), srcaddr=10.51.105.1

*Dec 29 09:20:55.197: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x27BD4575(666715509), srcaddr=10.51.105.1

*Dec 29 09:22:50.185: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0xB243ED01(2990796033), srcaddr=10.51.105.1

INCHENNAIDR#

INCHENNAIDR#ping 10.51.105.1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Brent Rockburn Mon, 12/29/2008 - 12:15

You can try "crypto isakmp invalid-spi-recovery"

Also if you're problem is the client holding old sa's I suggest you put in "crypto isakmp keepalive 10 periodic"

deccankarthik Mon, 12/29/2008 - 23:37

i have already configured "crypto isakmp invalid-spi-recovery "

now i have added "crypto isakmp keepalive 10 periodic "

i will update the result soon , other wise the client has to clear the SA in their router.Is it correct ?

Brent Rockburn Mon, 12/29/2008 - 23:59

What is the problem you're having exactly. The invalid SPI maybe not be the issue rather the symptom of a bigger configuration problem. Can you post your confi, or maybe describe the network a little more?

Thanks,

Actions

This Discussion