Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2621 to VPN Concentrator : Error messages

Hello,

Currently we have a LAN-to-LAN VPN connection between Cisco 2621s at remote sites and a 3030 concentrator at a central location. Recently, I have been noticing the following errors on one of the remote routers:

CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed, connection id=7742

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet

has invalid spi for destaddr

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer

I continue to see the errors regardless of using pre-shared keys or certificates for authentication but the router performance seems normal and has not yet been affected.

Thanks for the help.

2 REPLIES
New Member

Re: Cisco 2621 to VPN Concentrator : Error messages

From the error message, it looks like the keepalive between the isakmp keepalive between VPN 3000 and 2621 is not good.

One side has cleared the isakmp SA, but another end still use the old SA, this is reason for "invalid spi".

What is the IOS version you are running on that 2621 router ?

In 12.1.5T8 above or 12.2.6c above code, normally it should be fine.

Or please put following command in to turn on the isakmp keepalive manually.

"crypto isakmp keepalive 10 5" In 2621

VPN 3000 isakmp keepalive automatically is on, no need to config.

Best Regards,

New Member

Re: Cisco 2621 to VPN Concentrator : Error messages

Currently, the IOS version is 12.2(1)a, has any bug been found in regards to this or would you recommend an upgrade to 12.2(6) or above ?

Thanks.

120
Views
0
Helpful
2
Replies
CreatePlease to create content