Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX-4-402101 Troubleshooting

I get these 402101 errors every few days. The duration of the messages getting logged is about 10 minutes. When this occurs, one of my remote sites that is connected to this firewall via the VPN (Another PIX) "loses" connectivity to this site where the errors are logged.

Is there any more information I can "glean" from these errors? Any ideas why this error occurs?

Thanks!

4 REPLIES

Re: PIX-4-402101 Troubleshooting

If found this in the online documentation:

Error Message

-------------

%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number

Explanation

-----------

Received IPSec packet specifies a Security Parameters Index (SPI) that does not exist in SADB. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This may also be an attack.

Recommended Action

------------------

The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully.

Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new

connection or contact the peer's administrator.

Regards,

Tom

New Member

Re: PIX-4-402101 Troubleshooting

Thanks, but I did already see this on CCO. What I was looking for was a "real life" user experience related answer.

I do understand the "logic" behind the errors, but not sure what might cause a VPN that has been working fine for over 3 years to start having this problem.

Let me know if you have any other thoughts.

Thanks,

Chris

Re: PIX-4-402101 Troubleshooting

Chris,

This syslog message indicates that 1) your tunnel is probably not working (as I am sure you saw), and 2) that the SPI values (the unique ID's that IPSec tunnels use to identify themselves) have become mis-matched. SPI values change each time a tunnel re-keys which is a configurable interval. You are probably going to need to take a look at debugs on both devices before and when the issue is occuring to figure anything out. Basically, the syslog entry gives you an idea that something is wrong but doesn't indicate what the issue may be. Hope this helps some.

Scott

New Member

Re: PIX-4-402101 Troubleshooting

Well it is strange. These vpn tunnels have been working fine for a good while now.

It only happens about 1 time a week, and the duration of the outage is only for about 5 or 10 minutes. During that time period, I see the 402101 errors.

The site that loses connectivity is in Japan. The other site is a datacenter in the US. I am thinking that the problem is related to the fact that the sites are so geographically disparate and that the SADB's get out of sync. I am just trying to figure out if I can adjust anything to help this.

It has been 5 days since it has occured last.

-Chris

103
Views
0
Helpful
4
Replies
CreatePlease to create content