cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16150
Views
0
Helpful
6
Replies

IPSec tunnel No IKE

Sandip Barot
Level 1
Level 1

Hi

I got following the IPSec tunnel fluctuating between status of UP-Active to UP-NO-IKE and VPN drops.

In the logs I see following :

RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2xx.xx.x.x, prot=50, spi=0x80AA1F1E(2158632734), srcaddr=1x.x.x.x

%CRYPTO-4-IKMP_NO_SA: IKE message from 1xx.xx.xx.xx  has no SA and is not an initialization offer

Below, is the output of sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   QM_IDLE             19    0 ACTIVE     

The status above changes as below after few moments.

UAT-PEER#sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   MM_NO_STATE         19    0 ACTIVE (deleted)

I could ping the peer outside VPN fine.

Can anyone please help me to understand what could be causing above ?

regards,

Sandip

1 Accepted Solution

Accepted Solutions

Ionut.Hristea
Level 1
Level 1

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

View solution in original post

6 Replies 6

Eugene Khabarov
Level 7
Level 7

Can you please paste your configuration from both sides.

Hi Hriestea,

Thanks..it was indeed a strange connectivity issue.

Though I could do traceroute and ping from firewall without any drop, it was showing drop when I did ping from VPN.

Pinging each IP individually in route gave the IP  which was causing issue and rerouting to the path through ISP resolved issue.

Thanks

Sandip

Ionut.Hristea
Level 1
Level 1

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

fb_webuser
Level 6
Level 6

Hi,

What are the 2 devices that connect? i had an issue between a cisco and a checkpoint...some IOS bug. Also, are your packets traversing a NAT . Turn on ipsec debugging. the issue maybe related to connectivity between the two sites. according to the log, the device was not able to identify the spi (which is an unique identifier of ipsec sa). when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when the device received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive".

Hope this helps

---

Posted by WebUser Ionut Hristea

fb_webuser
Level 6
Level 6

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

---

Posted by WebUser Ionut Hristea

Dear Sandip,

You can also use " crypto isakmp invalid-spi-recovery" command.

Regards,

Ranjit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco