The user receives an Invalid SPI size error message on the VPN Client

Document

Jul 22, 2009 7:29 PM
Jun 22nd, 2009

Core issue

The Cisco VPN Client receives the Invalid SPI size error message in its log file while  initiating an IPSec tunnel with the VPN Server.

The message is sent to the VPN Client only in these instances:

  • The remote VPN Server becomes inoperative.
  • One of the VPN devices is completely reset, and it loses its Internet Key Exchange (IKE) Security Association (SA) with the other peer.
  • Misconfiguration in the VPN Server (misconfiguration in defining the NAT, IP address pool and the VPN group name).

Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an  IKE INVALID SPI NOTIFY message to the VPN device which initiated the VPN. This notification is sent  using the IKE SA. If there is no IKE SA available, the VPN Server drops the packet.

Resolution

Check VPN Client configuration parameters, such as IPSec configuration (crypto maps and transform set),  IP address pool configuration and the NAT configuration on the VPN Server.

If you use RSA certificates instead of preshared keys, select ISAKMP Identity Hostname instead  of ISAKMP Identity address.

If the VPN Server is a PIX Firewall, make sure that you have issued the sysopt connection command on the PIX. Ensure that you have enabled NAT-T if there is any NAT/PAT device in between the VPN Client and VPN Server.

If the problem persists, create a new VPN group with the same attributes in the VPN Server, and try  to connect using the VPN Client.

Overall Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 4:04 PM
Updated July 22, 2009 at 7:29 PM
Stats:
Comments:0 Overall Rating:0
Views:12663 Contributors:0
Shares:0
 

Documents Leaderboard

Rank Username Points
1
athukral
85
2
TCC_2
71
3
Nicolas Meessen
65
4
esundberg
30
5
PAWS
24
Rank Username Points
ITA Terms
5
athukral
5