Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13340
Views
0
Helpful
2
Replies

%CRYPTO-4-RECVD_PKT_INV_SPI:

SludnevTN_2
Level 1
Level 1

‎04-28-2009 12:18 AM

Everyday I have a lot of this messages:

9317: Apr 28 03:00:16.709: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=89.175.xx.xx, prot=50, spi=0x6D715B56(1836145494), srcaddr=77.236.xx.xx

Then Virtual Tunnel Interfaces begin to bounce UP-DOWN.

Sometimes they "hang".

1. What causes them?

2. How can I avoid them?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎05-05-2009 08:39 AM

A router that is running Cisco IOS Release 12.4(22)T and that is configured for L2L tunnels may intercept pass-thru UDP 4500 packets that are destined to internal client.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xDD8DEB2(232316594), srcaddr=y.y.y.y.

Is logged on the at-fault router.

Conditions: The router that is running Cisco IOS Release 12.4(22)T is configured for IPsec. Internal IPsec client being NATed on router using nat-t.

Workaround: There is no workaround.

0 Helpful

SludnevTN_2
Level 1
Level 1
In response to vmoopeung

‎05-25-2009 08:53 AM

Thank you for your reply.

Does this means that some one inside LAN is trying to "vpn" somewhere?

0 Helpful
Customers Also Viewed These Support Documents