SPI mismatch

Unanswered Question
Jan 9th, 2009

I have an ASA in our central office and an ASA in our branch office. We run an ipsec site to site VPN, that works fine. Yesterday it just stopped (in the branch office), investigations suggested that the tunnel was up but no packets were being encrypted or decrypted (sho crypto ipsec sa). i then did a debug crypto ipsec 2 and got the following message:

IPSEC WARNING: inbound SA deletion retry, SPI: 0xA2280726, user:, peer:

IPSEC WARNING: outbound SA deletion retry, SPI: 0xD2820A4C, user:, peer:

(not our real ip's)

It was here that we noticed that the SPI's in the sho crypto ipsec sa didn't match the SPI's coming from the central office. I tried clearing the crypto ipsec sa, but that didn't work so i rebooted the FW. When it came back up it started working again, and the SPI's matched.

The problem is it happened again 15 hours later.

Can anyone tell me what thr SPI is and why it might not match with the central office?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 01/09/2009 - 16:31

SPI's are security numbers negotiated during tunnel establishment, they help to identify the traffic coming thru this tunnel.

Whey they did not match can depend on various reasons, the main one is when the tunnel on one end drops down and tries to regenerate the tunnel to the other end, when this happens they security numbers are regenerated and they do not match, this condition is present when no keepalives or Dead Peer Detection is enabled on the vpn endpoints and the behavior occurs cause none of the vpn endpoint is aware that the tunnel or peer is down and "believes" that there is no need to renegotiate the tunnel.

When you cleared this IPSEC SA did you do it on the Central or the Branch? usually you would need to clear it on both to make this tunnel to be rebuilt.

What code of ASA do you have on both endpoints?

andrewjballard Sat, 01/10/2009 - 01:50

Thanks, i will have a look to see if there are any keepalives running.

I only cleared the IPSEC SA at the branch, and the ASA 7.2

Thanks again.


This Discussion