Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Invalid SPI error.

Hi,

I am getting the invalid spi error.

I have enabled the command "crypto isakmp invalid-spi-recovery ", after that also it is giving the invalid spi error.

Why is it so? Why the command invalid-spi-recovery is not recoverying the error?

002636: Oct 10 11:30:10.183 : %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

destaddr=A.B.C.D, prot=50, spi=0xD6B88819(3602417689), srcaddr=W.X.Y.Z

After manually clearing the crypto session and crypto sa, the VPN is UP-ACTIVE and data traffic is OK between the VPN peers LAN segmetns.

My IOS version is 12.4(5) ADVSEC-K9.

7 REPLIES
New Member

Re: Invalid SPI error.

Have you anable the spi recovery on both side ?

New Member

Re: Invalid SPI error.

No, other end vpn device is not cisco device.

spi recovery works only with cisco vpn devices or will it work with third pary vpn devices?

New Member

Re: Invalid SPI error.

Is the bug CSCsc44660 is same problem for me too?

New Member

Re: Invalid SPI error.

I don't think so.

If R1 lost the VPN connectivity, sometime the other end will not realize that the tunnel was down. Then R1 will try to bring up tunnel with a different SPI (that's normal) but R2 already has a tunnel with the old SPI with that peers and flag the log message that you have.

You may not be able to active that kind of function on your non-cisco device. But I don't know if there's a other way to solve that on the cisco device.

New Member

Re: Invalid SPI error.

The problem I am facing is at cisco isr device. The other end vpn device (non-cisco) trys to start the vpn sessions, but the cisco vpn`s old tunnel is there and it will not re-establish the connections.

The problem continues for so many hours and I have to manually re-establish the connection.

As per cisco document, The keepalive packets are sent every 10 seconds (30 sec for me) by default. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.

http://www.cisco.com/en/US/products/hw/routers/ps341/products_configuration_guide_chapter09186a0080518a6b.html#wp1035954

I have the below setup too:

crypto isakmp keepalive 30 periodic

crypto ipsec security-association lifetime seconds 86400

Why this is not happening?

New Member

Re: Invalid SPI error.

The IPSec SA (phase 2) has 3600 second for lifetime by default I think, and the ISAKMP (phase 1) has 86400. But some non-cisco device doesn't permit to modify these setting, so try to bring the cisco phase 1 and 2 lifetime to their default values or modify the non-cisco's lifetime to those that your cisco has.

New Member

Re: Invalid SPI error.

My end cisco lifetime is same as other end non-cisco's lifetime.

365
Views
4
Helpful
7
Replies