cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
0
Helpful
4
Replies

VPN error invalid spi urgent help

deccankarthik
Level 1
Level 1

we are running MPLS VPN using Tunnel0 interface , we go the frequent below error message in router conole , it seems clinet end router holding old SA, it is not refereshed. pl advise, urgent

INCDR#

*Dec 29 09:19:11.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x2968B91(43420561), srcaddr=10.51.105.1

*Dec 29 09:20:55.197: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x27BD4575(666715509), srcaddr=10.51.105.1

*Dec 29 09:22:50.185: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0xB243ED01(2990796033), srcaddr=10.51.105.1

INCHENNAIDR#

INCHENNAIDR#ping 10.51.105.1

4 Replies 4

andrew.prince
Level 10
Level 10

You need to check the source of the VPN tunnel, the attached logs indicate that the device has received packets for a destination of 192.168.118.62 - is this the tunnel IP address of the MPLS connection? And an originating IP of 10.5.105.1 is this the remote end?

Brent Rockburn
Level 2
Level 2

You can try "crypto isakmp invalid-spi-recovery"

Also if you're problem is the client holding old sa's I suggest you put in "crypto isakmp keepalive 10 periodic"

i have already configured "crypto isakmp invalid-spi-recovery "

now i have added "crypto isakmp keepalive 10 periodic "

i will update the result soon , other wise the client has to clear the SA in their router.Is it correct ?

What is the problem you're having exactly. The invalid SPI maybe not be the issue rather the symptom of a bigger configuration problem. Can you post your confi, or maybe describe the network a little more?

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: