IPSec tunnel No IKE

Answered Question
Oct 27th, 2011

Hi

I got following the IPSec tunnel fluctuating between status of UP-Active to UP-NO-IKE and VPN drops.

In the logs I see following :

RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2xx.xx.x.x, prot=50, spi=0x80AA1F1E(2158632734), srcaddr=1x.x.x.x

%CRYPTO-4-IKMP_NO_SA: IKE message from 1xx.xx.xx.xx  has no SA and is not an initialization offer

Below, is the output of sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   QM_IDLE             19    0 ACTIVE     

The status above changes as below after few moments.

UAT-PEER#sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   MM_NO_STATE         19    0 ACTIVE (deleted)

I could ping the peer outside VPN fine.

Can anyone please help me to understand what could be causing above ?

regards,

Sandip

I have this problem too.
0 votes
Correct Answer by Ionut.Hristea about 2 years 5 months ago

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
sandipbarot.aus Sun, 10/30/2011 - 16:05

Hi Hriestea,

Thanks..it was indeed a strange connectivity issue.

Though I could do traceroute and ping from firewall without any drop, it was showing drop when I did ping from VPN.

Pinging each IP individually in route gave the IP  which was causing issue and rerouting to the path through ISP resolved issue.

Thanks

Sandip

Correct Answer
Ionut.Hristea Fri, 10/28/2011 - 02:02

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

fb_webuser Fri, 10/28/2011 - 10:32

Hi,

What are the 2 devices that connect? i had an issue between a cisco and a checkpoint...some IOS bug. Also, are your packets traversing a NAT . Turn on ipsec debugging. the issue maybe related to connectivity between the two sites. according to the log, the device was not able to identify the spi (which is an unique identifier of ipsec sa). when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when the device received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive".

Hope this helps

---

Posted by WebUser Ionut Hristea

fb_webuser Fri, 10/28/2011 - 10:33

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

---

Posted by WebUser Ionut Hristea

ranjit123 Mon, 10/31/2011 - 00:18

Dear Sandip,

You can also use " crypto isakmp invalid-spi-recovery" command.

Regards,

Ranjit

Actions

Login or Register to take actions

This Discussion

Posted October 27, 2011 at 10:53 PM
Stats:
Replies:6 Avg. Rating:5
Views:1382 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard