03-20-2007 04:45 PM - edited 03-09-2019 05:38 PM
Hello,
we use two Routers with Site-To-Site VPN.One site with static ip the other site with dynamic ip.Sometimes we get an error-message on the router.
The error-message is:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xAA221071(2854359153), srcaddr=x.x.x.x.
At this time no traffic goes through the tunnel.
We use IOS 12.4.9 T1
Any idea for this problem.
03-20-2007 05:12 PM
this message is due to the fact that one side is holding the IPSec SA and the other side does not have similar IPSec SA's, so definitely traffic will not pass.
You should make sure that the lifetimes for both phase 1 and phase 2 are exactly the same on both the sides.
Also the following command should us, put it in global configuration mode on both the routers:
crypto isakmp invalid-spi-recovery
03-20-2007 11:45 PM
Thank you puagarwa for answering.
The lifetimes for both phase are the same,and I have already configured
crypto isakmp invalid-spi-recovery
any other ideas ?
05-03-2018 07:57 AM - edited 05-03-2018 08:13 AM
hi
i'm having the same problem in a router 1941.
I have put the 2 commands bellow but still , the tunnel is established but no traffic is passing from one router to another.
Note that the same configurations works in a router 4431 but not in 1941.
1941 IOS Version
C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M6, RELEASE SOFTWARE (fc2)
commands added:
crypto isakmp invalid-spi-recovery
crypto ipsec security-association lifetime seconsd 3600
error:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xD4E5DE4B(3571834443), srcaddr=x.x.x.x., input interface=GigabitEthernet0/0
does anyone knows how to resolve this issue ?
regards,
Mauro
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: