VPN error invalid spi urgent help

Unanswered Question
Dec 29th, 2008
User Badges:

we are running MPLS VPN using Tunnel0 interface , we go the frequent below error message in router conole , it seems clinet end router holding old SA, it is not refereshed. pl advise, urgent



INCDR#

*Dec 29 09:19:11.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x2968B91(43420561), srcaddr=10.51.105.1

*Dec 29 09:20:55.197: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x27BD4575(666715509), srcaddr=10.51.105.1

*Dec 29 09:22:50.185: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0xB243ED01(2990796033), srcaddr=10.51.105.1

INCHENNAIDR#

INCHENNAIDR#ping 10.51.105.1


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Brent Rockburn Mon, 12/29/2008 - 12:15
User Badges:

You can try "crypto isakmp invalid-spi-recovery"


Also if you're problem is the client holding old sa's I suggest you put in "crypto isakmp keepalive 10 periodic"

deccankarthik Mon, 12/29/2008 - 23:37
User Badges:

i have already configured "crypto isakmp invalid-spi-recovery "


now i have added "crypto isakmp keepalive 10 periodic "


i will update the result soon , other wise the client has to clear the SA in their router.Is it correct ?

Brent Rockburn Mon, 12/29/2008 - 23:59
User Badges:

What is the problem you're having exactly. The invalid SPI maybe not be the issue rather the symptom of a bigger configuration problem. Can you post your confi, or maybe describe the network a little more?


Thanks,

Actions

This Discussion