Unanswered Question
Jan 4th, 2010
User Badges:

Hi all,

Im trying a GETVPN/DMVPN setup with two KeyServers and two DMVPN Hubs.

(And a few spokes for testing).

Having the setup all up and running it works fine. The two GET-Keyservers are configured as per. Cisco guide,

and they are setup with a primary KS and a coop secondary.

The problem is, that when I power of Keyserver 1 (primary) to test an power outage, Keyserver 2 takes on the role

as the new key-server, but new spokes that are booted up, seems to be getting wrong IPSEC IDs.

I get this error on all routers that starts participating as GMs :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<ip of spoke>, prot=50, spi=0x889642C4(2291548868), srcaddr=<IP of hub>

So it looks like the SPI is different from routers having been members of Keyserver1, and for routers that are members of Keyserver2.

I have checked the two Keyserver routers when they are both up and alive, and all seems to be ok.

Software is 12.4(11)T

Any ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kelvindam Tue, 01/05/2010 - 10:03
User Badges:

Problem solved.

I upgraded my routers to 12.4(24)T2 and that solved the issue by making all SPI's identical.



This Discussion