Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
4
Replies

PIX-4-402101 Troubleshooting

ccaron
Level 1
Level 1

‎12-15-2003 09:35 AM - edited ‎03-09-2019 05:52 AM

I get these 402101 errors every few days. The duration of the messages getting logged is about 10 minutes. When this occurs, one of my remote sites that is connected to this firewall via the VPN (Another PIX) "loses" connectivity to this site where the errors are logged.

Is there any more information I can "glean" from these errors? Any ideas why this error occurs?

Thanks!

Labels:
0 Helpful
4 Replies 4

tvanginneken
Level 4
Level 4

‎12-15-2003 12:58 PM

If found this in the online documentation:

Error Message

-------------

%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number

Explanation

-----------

Received IPSec packet specifies a Security Parameters Index (SPI) that does not exist in SADB. This may be a temporary condition due to slight differences in aging of SAs between the IPSec peers, or it may be because the local SAs have been cleared. It may also be because of incorrect packets sent by the IPSec peer. This may also be an attack.

Recommended Action

------------------

The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers may then reestablish successfully.

Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new

connection or contact the peer's administrator.

Regards,

Tom

0 Helpful

ccaron
Level 1
Level 1
In response to tvanginneken

‎12-15-2003 01:49 PM

Thanks, but I did already see this on CCO. What I was looking for was a "real life" user experience related answer.

I do understand the "logic" behind the errors, but not sure what might cause a VPN that has been working fine for over 3 years to start having this problem.

Let me know if you have any other thoughts.

Thanks,

Chris

0 Helpful

scoclayton
Level 7
Level 7
In response to ccaron

‎12-15-2003 07:28 PM

Chris,

This syslog message indicates that 1) your tunnel is probably not working (as I am sure you saw), and 2) that the SPI values (the unique ID's that IPSec tunnels use to identify themselves) have become mis-matched. SPI values change each time a tunnel re-keys which is a configurable interval. You are probably going to need to take a look at debugs on both devices before and when the issue is occuring to figure anything out. Basically, the syslog entry gives you an idea that something is wrong but doesn't indicate what the issue may be. Hope this helps some.

Scott

0 Helpful

ccaron
Level 1
Level 1
In response to scoclayton

‎12-15-2003 07:35 PM

Well it is strange. These vpn tunnels have been working fine for a good while now.

It only happens about 1 time a week, and the duration of the outage is only for about 5 or 10 minutes. During that time period, I see the 402101 errors.

The site that loses connectivity is in Japan. The other site is a datacenter in the US. I am thinking that the problem is related to the fact that the sites are so geographically disparate and that the SADB's get out of sync. I am just trying to figure out if I can adjust anything to help this.

It has been 5 days since it has occured last.

-Chris

0 Helpful
Customers Also Viewed These Support Documents