Invalid Security Parameter Index Recovery

Unanswered Question
Feb 21st, 2010

Hi all,

I Have checked following error in output interpretor and it says that there might be slight difference in aging of SAs. To resolve this what I have found is Invalid Security Parameter Index recover in which we will execute "crypto isakmp invalid-spi-recovery". Please suggest any other solution for this.

Jan 25 09:33:46.865: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.190.103.142, prot=50, spi=0xCF5C7F48(-816021688), srcaddr=10.191.8.69

Apart from this we are getting following messages on DMVPN spoke.

(ip) vrf/dest_addr= /10.190.103.142, src_addr= 10.191.8.69, prot= 47
Jan 25 09:00:15.488: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.190.103.142, src_addr= 10.191.8.69, prot= 47
Jan 25 09:01:55.785: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.190.103.142, src_addr= 10.191.8.69, prot= 47
Jan 25 09:03:37.446: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

Jan 25 09:33:38.137: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.190.103.142, src_addr= 10.191.8.69, prot= 47
Jan 25 09:33:46.865: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
destaddr=10.190.103.142, prot=50, spi=0xCF5C7F48(-816021688), srcaddr=10.191.8.69

I have verified that other DMVPN spokes aren't getting any of these messages, as far as Hub configuration is concerned its fine. These messages are not causing ipsec to go down, but after around 10 days ipsec tunnel goes down which causes downtime and after clearing ipsec sa every thing goes fine but cause of these messages is still unknown.

Would image upgrade solve the issue, as we are running ipservicesk9_wan-mz.122-18.SXF9.bin

I have checked following recommendations from Cisco as well, but found no policy related mismatch

%CRYPTO-4-RECVD_PKT_NOT_IPSEC (x1): Rec'd packet not an IPSEC packet.(ip)
dest_addr= [IP_address], src_addr= [IP_address], prot= [dec]

Explanation: A packet was received that matched the encryption (crypto) map ACL,
but is not IPSec-encapsulated. The IPSec peer is sending unencapsulated packets.
This condition may simply be caused by a policy setup error on the peer, or it
might be considered a hostile event.

Recommended Action: Contact the peer's administrator to compare policy settings.


--------------------------------------------------------------------------------


%CRYPTO-4-RECVD_PKT_NOT_IPSEC (x0): Rec'd packet not an IPSEC packet.  (ip) vrf/dest_addr=
[chars]/[IP_address], src_addr= [IP_address], prot= [dec]

Explanation: The received packet matched the encryption (crypto) map ACL, but
the packet is not  IPSec-encapsulated. The IPSec peer is sending unencapsulated
packets. There may simply be a  policy setup error on the peer. This activity could
be considered a hostile event.


Recommended Action: Contact the peer administrator to compare policy settings
of the IPSec peer.

Regards,

Akhtar

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion