Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
2
Replies

Large FTP transfers fail - IPSec invalid SPI's

droeun141
Level 1
Level 1

‎04-23-2010 12:09 PM - edited ‎02-21-2020 04:36 PM

We're having a problem with large FTP transfers (400+mb) failing via site-to-site VPN, we get about half way through & the connection fails followed by a new phase 1 exchange.  This is only affecting 1 of 7 tunnels.  Last week we enabled invalid SPI recovery & isakmp keepalives, and it seems the next day is when we started having issues - fix one thing, break another!  We only had one of these errors last week, but since the commands were introduced the next day there are literally tons.  It kind of seems like it's doing the complete opposite of what it was intended.  Thoughts?

Commands:

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10

Errors:

Apr 23 12:26:22 10.254.254.1 2528495: Apr 23 12:27:04.796 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.255.254.1, prot=50, spi=0x5D6B57DC(1567315932), srcaddr=192.168.1.1
Apr 23 12:28:43 10.254.254.1 2528879: Apr 23 12:29:25.533 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.255.254.1, prot=50, spi=0x9D3555FA(2637518330), srcaddr=192.168.1.1
Apr 23 12:45:21 10.254.254.1 2529923: Apr 23 12:46:04.090 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.255.254.1, prot=50, spi=0xA3BBF6AD(2747004589), srcaddr=192.168.1.1
Apr 23 13:11:16 10.254.254.1 2531695: Apr 23 13:11:58.555 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.255.254.1, prot=50, spi=0x3D0C507C(1024217212), srcaddr=192.168.1.1
Apr 23 13:11:32 10.254.254.1 2531753: Apr 23 13:12:13.280 EDT: %CRYPTO-4-IKMP_NO_SA: IKE message from 192.168.1.1 has no SA and is not an initialization offer

Labels:
0 Helpful
2 Replies 2

Dirk Feldhaus
Level 1
Level 1

‎05-07-2010 11:42 AM

Hello,

starting with the easiest parameters: Have you checked the sa lifetimes on both devices. Maybe the sa lifetime or volume threshold is reached during the ftp transfer and one of the endpoints tries to create new keys.

0 Helpful

droeun141
Level 1
Level 1
In response to Dirk Feldhaus

‎05-10-2010 03:54 AM

Thanks for the reply.  I was actually thinking the same thing but found out the devices will create new sessions before exceeding volume limit.  As it turns out, we had keepalives enabled and UDP/500 was only permitted in one direction.  We fixed the issue by disabling keepalives.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents