IPSec tunnel No IKE

Answered Question
Oct 27th, 2011
User Badges:

Hi


I got following the IPSec tunnel fluctuating between status of UP-Active to UP-NO-IKE and VPN drops.


In the logs I see following :


RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2xx.xx.x.x, prot=50, spi=0x80AA1F1E(2158632734), srcaddr=1x.x.x.x

%CRYPTO-4-IKMP_NO_SA: IKE message from 1xx.xx.xx.xx  has no SA and is not an initialization offer


Below, is the output of sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   QM_IDLE             19    0 ACTIVE     


The status above changes as below after few moments.

UAT-PEER#sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   MM_NO_STATE         19    0 ACTIVE (deleted)


I could ping the peer outside VPN fine.


Can anyone please help me to understand what could be causing above ?



regards,

Sandip

Correct Answer by Ionut.Hristea about 5 years 4 months ago

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Eugene Khabarov Fri, 10/28/2011 - 00:36
User Badges:
  • Silver, 250 points or more

Can you please paste your configuration from both sides.

sandipbarot.aus Sun, 10/30/2011 - 16:05
User Badges:

Hi Hriestea,


Thanks..it was indeed a strange connectivity issue.


Though I could do traceroute and ping from firewall without any drop, it was showing drop when I did ping from VPN.


Pinging each IP individually in route gave the IP  which was causing issue and rerouting to the path through ISP resolved issue.


Thanks

Sandip

Correct Answer
Ionut.Hristea Fri, 10/28/2011 - 02:02
User Badges:

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

fb_webuser Fri, 10/28/2011 - 10:32
User Badges:
  • Silver, 250 points or more

Hi,

What are the 2 devices that connect? i had an issue between a cisco and a checkpoint...some IOS bug. Also, are your packets traversing a NAT . Turn on ipsec debugging. the issue maybe related to connectivity between the two sites. according to the log, the device was not able to identify the spi (which is an unique identifier of ipsec sa). when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when the device received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive".

Hope this helps



---

Posted by WebUser Ionut Hristea

fb_webuser Fri, 10/28/2011 - 10:33
User Badges:
  • Silver, 250 points or more

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one


one possible way to resolve this issue is to apply isakmp keepalive.


---

Posted by WebUser Ionut Hristea

ranjit123 Mon, 10/31/2011 - 00:18
User Badges:

Dear Sandip,


You can also use " crypto isakmp invalid-spi-recovery" command.


Regards,

Ranjit

Actions

This Discussion