Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6967
Views
0
Helpful
3
Replies

SPI mismatch

andrewjballard
Level 1
Level 1

‎01-09-2009 04:52 AM

I have an ASA in our central office and an ASA in our branch office. We run an ipsec site to site VPN, that works fine. Yesterday it just stopped (in the branch office), investigations suggested that the tunnel was up but no packets were being encrypted or decrypted (sho crypto ipsec sa). i then did a debug crypto ipsec 2 and got the following message:

IPSEC WARNING: inbound SA deletion retry, SPI: 0xA2280726, user: 1.1.2.17, peer: 1.1.2.17

IPSEC WARNING: outbound SA deletion retry, SPI: 0xD2820A4C, user: 1.1.2.17, peer: 1.1.2.17

(not our real ip's)

It was here that we noticed that the SPI's in the sho crypto ipsec sa didn't match the SPI's coming from the central office. I tried clearing the crypto ipsec sa, but that didn't work so i rebooted the FW. When it came back up it started working again, and the SPI's matched.

The problem is it happened again 15 hours later.

Can anyone tell me what thr SPI is and why it might not match with the central office?

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎01-09-2009 04:31 PM

SPI's are security numbers negotiated during tunnel establishment, they help to identify the traffic coming thru this tunnel.

Whey they did not match can depend on various reasons, the main one is when the tunnel on one end drops down and tries to regenerate the tunnel to the other end, when this happens they security numbers are regenerated and they do not match, this condition is present when no keepalives or Dead Peer Detection is enabled on the vpn endpoints and the behavior occurs cause none of the vpn endpoint is aware that the tunnel or peer is down and "believes" that there is no need to renegotiate the tunnel.

When you cleared this IPSEC SA did you do it on the Central or the Branch? usually you would need to clear it on both to make this tunnel to be rebuilt.

What code of ASA do you have on both endpoints?

0 Helpful

andrewjballard
Level 1
Level 1
In response to Ivan Martinon

‎01-10-2009 01:50 AM

Thanks, i will have a look to see if there are any keepalives running.

I only cleared the IPSEC SA at the branch, and the ASA 7.2

Thanks again.

0 Helpful

Pravin Phadte
Level 5
Level 5
In response to andrewjballard

‎01-12-2009 06:47 AM

provideing your configs for vpn from both sites would be much helpful .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents