%CRYPTO-4-RECVD_PKT_INV_SPI:

Unanswered Question
Apr 28th, 2009

Everyday I have a lot of this messages:

9317: Apr 28 03:00:16.709: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=89.175.xx.xx, prot=50, spi=0x6D715B56(1836145494), srcaddr=77.236.xx.xx

Then Virtual Tunnel Interfaces begin to bounce UP-DOWN.

Sometimes they "hang".

1. What causes them?

2. How can I avoid them?

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Tue, 05/05/2009 - 08:39

A router that is running Cisco IOS Release 12.4(22)T and that is configured for L2L tunnels may intercept pass-thru UDP 4500 packets that are destined to internal client.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xDD8DEB2(232316594), srcaddr=y.y.y.y.

Is logged on the at-fault router.

Conditions: The router that is running Cisco IOS Release 12.4(22)T is configured for IPsec. Internal IPsec client being NATed on router using nat-t.

Workaround: There is no workaround.

SludnevTN_2 Mon, 05/25/2009 - 08:53

Thank you for your reply.

Does this means that some one inside LAN is trying to "vpn" somewhere?

Actions

This Discussion