Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
1
Replies

GRE Tunnel Error "crypto-4-recvd_pkt_inv_spi"

jbenoit1010
Level 1
Level 1

‎01-12-2009 03:15 PM

I have a hub-spoke topology with GRE tunnels using OSPF. There are two tunnels each associated to their own physical interface on each router. All the connectivty is fine. However, this design is a redundant design so I am testing the failure of the links (physical interfaces as well as the tunnels). When I "shutdown" the Tunnel0 or Tunnel1 interface the traffic is reestablished over the other physical/logical route and pings continue. When I "no shutdown" the interface everything returns back to normal. So far so good....now when I physically remove the cable from the hub router interface FA0/0 or FA0/1 the tunnel will NOT failover to the active interface..AND when I reconnect the cable the tunnel cannot re-establish. I get the "crypto-4-recvd_pkt_inv_spi" error. When I issue the "clear crytpo session" on the hub or spoke the tunnel comes back up. I have tried the "crytpo isakmp invalid-spi-recovery" command but it does not change the results.

I am running version 12.4(13r)T on all routers.

Any ideas on what I can try to make this work if I physically lose a port or connection?

Thanks,

Justin

Labels:
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎01-12-2009 03:19 PM

Do you have isakmp keepalives enabled on both peers, seems they are not detecting that the endpoints are not reachable any longer.

0 Helpful
Customers Also Viewed These Support Documents