I get these 402101 errors every few days. The duration of the messages getting logged is about 10 minutes. When this occurs, one of my remote sites that is connected to this firewall via the VPN (Another PIX) "loses" connectivity to this site where the errors are logged.
Is there any more information I can "glean" from these errors? Any ideas why this error occurs?
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number
Received IPSec packet specifies a Security Parameters Index (SPI) that does not exist in SADB. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This may also be an attack.
The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully.
Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new
This syslog message indicates that 1) your tunnel is probably not working (as I am sure you saw), and 2) that the SPI values (the unique ID's that IPSec tunnels use to identify themselves) have become mis-matched. SPI values change each time a tunnel re-keys which is a configurable interval. You are probably going to need to take a look at debugs on both devices before and when the issue is occuring to figure anything out. Basically, the syslog entry gives you an idea that something is wrong but doesn't indicate what the issue may be. Hope this helps some.
Well it is strange. These vpn tunnels have been working fine for a good while now.
It only happens about 1 time a week, and the duration of the outage is only for about 5 or 10 minutes. During that time period, I see the 402101 errors.
The site that loses connectivity is in Japan. The other site is a datacenter in the US. I am thinking that the problem is related to the fact that the sites are so geographically disparate and that the SADB's get out of sync. I am just trying to figure out if I can adjust anything to help this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :