Re: %CRYPTO-4-RECVD_PKT_INV_SPI:

MICHAEL RUCKER · ‎03-20-2007

Hello,

we use two Routers with Site-To-Site VPN.One site with static ip the other site with dynamic ip.Sometimes we get an error-message on the router.

The error-message is:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xAA221071(2854359153), srcaddr=x.x.x.x.

At this time no traffic goes through the tunnel.

We use IOS 12.4.9 T1

Any idea for this problem.

puagarwa · ‎03-20-2007

this message is due to the fact that one side is holding the IPSec SA and the other side does not have similar IPSec SA's, so definitely traffic will not pass.

You should make sure that the lifetimes for both phase 1 and phase 2 are exactly the same on both the sides.

Also the following command should us, put it in global configuration mode on both the routers:

crypto isakmp invalid-spi-recovery

MICHAEL RUCKER · ‎03-20-2007

Thank you puagarwa for answering.

The lifetimes for both phase are the same,and I have already configured

crypto isakmp invalid-spi-recovery

any other ideas ?

So_cedsif · ‎05-03-2018

hi

i'm having the same problem in a router 1941.

I have put the 2 commands bellow but still , the tunnel is established but no traffic is passing from one router to another.

Note that the same configurations works in a router 4431 but not in 1941.

1941 IOS Version

C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)

commands added:

crypto isakmp invalid-spi-recovery
crypto ipsec security-association lifetime seconsd 3600

error:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xD4E5DE4B(3571834443), srcaddr=x.x.x.x., input interface=GigabitEthernet0/0

does anyone knows how to resolve this issue ?

regards,

Mauro