Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Invalid Error Message

What is the impact of negating the below? We still want to set up ssh. Will this be affected if we negate the above. Thanks

"crypto isakmp invalid-spi-recovery "

We keep receiving

Oct 26 10:47:25.912: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=a.a.a.a, prot=50, spi=0x25DE553A(635327802), srcaddr=b.b.b.b

6 REPLIES
Hall of Fame Super Silver

Re: Invalid Error Message

Adetutu

Your message talks about SSH but the error message is about IPSec (protocol 50 is ESP which is part of IPSec). So I am not sure that I really understand your question.

IPSec is one thing and SSH is another thing. I do not see a way in which an error in IPSec would impact doing SSH. If this is not an adequate answer then perhaps you can clarify the question.

HTH

Rick

New Member

Re: Invalid Error Message

Thanks Rick

Thanks for clearng that up.

So why will we be getting this messages on our C6509. It comes up everyday.?

Hall of Fame Super Silver

Re: Invalid Error Message

Adetutu

The error message indicates that your 6509 received an IPSec message:

Oct 26 10:47:25.912: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=a.a.a.a, prot=50, spi=0x25DE553A(635327802), srcaddr=b.b.b.b

What to do depends a little on knowing some additional things about your environment. Is your 6509 configured for IPSec (does it have crypto maps, etc)? Is b.b.b.b configured as a peer?

The message would seem to indicate that b.b.b.b is an IPSec peer of your 6509 and that it had negotiated a Security Association with the 6509, and that b.b.b.b believes that the Security Association is still valid (and is using it) but the 6509 believes that that particular Security Association is no longer valid. You could investigate this by doing show crypto ipsec sa and look for negotiated SAs with b.b.b.b and check the index value.

HTH

Rick

New Member

Re: Invalid Error Message

Thank you so much Rick. Now I am beginning to understand. No we have not set up IPSEC peer with any device,

But as we are running Cisco IOS 12.2(18)SXF4, will this be a problem?

Is it on by default?

Do I need to negate it to stop this error messages?

Is negating the right thing to do such as

'no crypto isakmp invalid-spi-recovery '?

What is the effect of neagting it?

Thanks for your help.

Silver

Re: Invalid Error Message

Silver

Re: Invalid Error Message

Below is the explanation for the message you are getting.

CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=[IP_address], prot=[dec], spi=[hex]([dec])

An IPSec was received that specified an SPI that does not exist in the SADB. This may be a

temporary condition because of slight differences in aging of SAs between the IPSec peers,or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Some might consider this a hostile event.

Lets take an example to illustrate this point.

Assume that you have routerA built up tunnel with routerB. Now, if routerB detects that it is unable to reach momentarily to routerA, it

will delete the IPSEC SA, but routerA may still be holding the old SA.As routerA still has the SA, it will try to send the traffic to routerB assuming that routerB still has the SA. When routerB receives these

packets from routerA, it will not be able to find corresponding SA (no SPI). So, it will throw this message.

Usually router takes care of the problem of its own. But, sometimes it gets stuck and to unstuck the SA, you just need to clear the SA for phase I and II with the following commands -

! Find out the isakmp sa connection ID with the following command

show crypto isakmp sa | include peer_ip

! Clear the specific SA with the following command

router#clear crypto isakmp ?

<0 - 32766> connection id of SA

router#

Then clear the SA for IPSEC with the SPI number that you see in the log

with the following command -

router#clear crypto sa ?

counters Reset the SA counters

map Clear all SAs for a given crypto map

peer Clear all SAs for a given crypto peer

spi Clear SA by SPI

Hope this helps you.

Thanks,

satish

238
Views
0
Helpful
6
Replies