The user receives an Invalid SPI size error message on the VPN Client

Document

Jun 22, 2009 4:04 PM
Jun 22nd, 2009

Core issue

The Cisco VPN Client receives the Invalid SPI size error message in its log file while  initiating an IPSec tunnel with the VPN Server.

The message is sent to the VPN Client only in these instances:

  • The remote VPN Server becomes inoperative.
  • One of the VPN devices is completely reset, and it loses its Internet Key Exchange (IKE) Security Association (SA) with the other peer.
  • Misconfiguration in the VPN Server (misconfiguration in defining the NAT, IP address pool and the VPN group name).

Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an  IKE INVALID SPI NOTIFY message to the VPN device which initiated the VPN. This notification is sent  using the IKE SA. If there is no IKE SA available, the VPN Server drops the packet.

Resolution

Check VPN Client configuration parameters, such as IPSec configuration (crypto maps and transform set),  IP address pool configuration and the NAT configuration on the VPN Server.

If you use RSA certificates instead of preshared keys, select ISAKMP Identity Hostname instead  of ISAKMP Identity address.

If the VPN Server is a PIX Firewall, make sure that you have issued the sysopt connection command on the PIX. Ensure that you have enabled NAT-T if there is any NAT/PAT device in between the VPN Client and VPN Server.

If the problem persists, create a new VPN group with the same attributes in the VPN Server, and try  to connect using the VPN Client.

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 4:04 PM
Stats:
Comments:0 Avg. Rating:0
Views:11618 Contributors:0
Shares:0

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5