Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
2
Replies

CRYPTO-4-RECVD_PKT_INV_SPI error - conflict ESP/AH protocol on UMA phone?

julianunderwood
Level 1
Level 1

‎03-28-2009 04:15 PM

Hi,

I have an annoying problem. I have a Cisco 871W router with a VPN tunnel to another location that works fine. If the tunnel is up, UMA enabled phones won't work on the connection and the router will log this error:

*Mar 29 01:44:37.791: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has in

valid spi for destaddr=xx.xx.x.xx, prot=50, spi=0x8884FEDE(2290417374), srcaddr=20

8.54.87.1

If I remove the crypto map off the external interface (FastEthernet 4) the UMA enabled phones work fine, but no VPN tunnel (obviously)! I even tried changing the VPN protocol from ESP to AH.

Does anyone know how I can have the tunnel up and also have the UMA phones work too?

Attached is the config... Does anyone have any suggestions on how I can fix this or how I should modify my config?

Thanks,

Julian

Labels:
Preview file
4 KB
0 Helpful
2 Replies 2

owillins
Level 6
Level 6

‎04-02-2009 02:29 PM

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has in valid spi for destaddr=xx.xx.x.xx, prot=50, spi=0x8884FEDE(2290417374), srcaddr=208.54.87.1

The above error states an IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.

To resolve this issue: If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

0 Helpful

julianunderwood
Level 1
Level 1
In response to owillins

‎04-02-2009 04:07 PM

Well, I know that my phone is attempting to establish some sort of tunnel to support UMA.

I also know that if I shut down the tunnel to another site (something completely separate) that the phone is able to establish it's tunnel and works great.

I DON'T know how to have my tunnel up AND have the phone establish IT'S tunnel.

I think the phone gets confused with the existing tunnel and as a result can't establish the connection that it needs. If I had multiple IP addresses I'd establish the tunnel on a separate address and have the phone go out on a different IP but I am not in that situation.

Any other thoughts or concrete ways I could circumvent this "conflict"/behavior?

Thanks!

Julian

0 Helpful
Customers Also Viewed These Support Documents