site-to-vpn goes down

Unanswered Question
Jul 20th, 2009

Hi, I have a cisco 2811 connected by vpn to a sonic firewall. On several occasions the connection is down. In the log of the Cisco 2811 i get the following error:

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from was not encrypted and it should've been.

*Jul 19 17:38:26.293: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for, prot=50, spi=0x1C4F247F(474948735),

I've looked at the configurations of both the cisco as the sonic and they look fine.

Hope someone can help me with this our client is quit desperate.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
FredDenHeijer Thu, 07/23/2009 - 23:32

This article writes about two cisco routers,my situation is with one cisco and a Sonic Firewall. I'm not sure how to set this on the Sonic. Or can i implement this on the Cisco router only?

loizosko Thu, 08/13/2009 - 19:16

we had this issue today as well. we have 2 routers connected via a ds3 running ipsec encryption between them for compliance reasons, since the telco links are not considered trusted. at some point we could not pass traffic accross, the links were up and we were receiving the %CRYPTO-4-RECVD_PKT_INV_SPI: error

we removed the crypto and re-apply it to the interface and got established. we did put the crypto isakmp invalid-spi-recovery command afterwards and hopefully the issue does not appear again. we had this issue again in the past when we upgraded the ios and rebooted the router. a second reboot that time fixed it.

i just hope this command will prevent the issue from happening again.

FredDenHeijer Tue, 09/29/2009 - 22:56

Our problem was that we had multiple connections configured as one but only one line was configured with the vpn. The other sides on its behalve communicated on only one of the connections.

cempuerto Tue, 09/29/2009 - 23:23

I'm trying to set up VPN connection using

1841 router and tz-190 sonicwall firewall.

VPN is not working and i'm getting

"%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from [IP_address] was not encrypted and it should've been"

i have found this article

Sonicwall was set to aggressive mode. so i'm planning to follow the steps on the article making Phase 2 dynamic.. have any one tried this??



This Discussion