12-29-2008 01:30 AM
we are running MPLS VPN using Tunnel0 interface , we go the frequent below error message in router conole , it seems clinet end router holding old SA, it is not refereshed. pl advise, urgent
INCDR#
*Dec 29 09:19:11.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x2968B91(43420561), srcaddr=10.51.105.1
*Dec 29 09:20:55.197: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x27BD4575(666715509), srcaddr=10.51.105.1
*Dec 29 09:22:50.185: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0xB243ED01(2990796033), srcaddr=10.51.105.1
INCHENNAIDR#
INCHENNAIDR#ping 10.51.105.1
12-29-2008 08:33 AM
You need to check the source of the VPN tunnel, the attached logs indicate that the device has received packets for a destination of 192.168.118.62 - is this the tunnel IP address of the MPLS connection? And an originating IP of 10.5.105.1 is this the remote end?
12-29-2008 12:15 PM
You can try "crypto isakmp invalid-spi-recovery"
Also if you're problem is the client holding old sa's I suggest you put in "crypto isakmp keepalive 10 periodic"
12-29-2008 11:37 PM
i have already configured "crypto isakmp invalid-spi-recovery "
now i have added "crypto isakmp keepalive 10 periodic "
i will update the result soon , other wise the client has to clear the SA in their router.Is it correct ?
12-29-2008 11:59 PM
What is the problem you're having exactly. The invalid SPI maybe not be the issue rather the symptom of a bigger configuration problem. Can you post your confi, or maybe describe the network a little more?
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: