Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with VPN through 28xx router (CRYPTO-4-RECVD_PKT_INV_SPI)

Hi everyone,

I have a VPN tunnel between a Cisco VPN client and a VPN concentrator 4.1.7.P. When I have a 25xx or 26xx router in the middle of the tunnel everything works just fine. This router is not involved or related in any way with the VPN tunnel. He?s just routing packets between the 2 VPN peers.

When a have a 28xx router with an advanced-security IOS image the negotiation of the tunnel succeeded but traffic is unable to cross the tunnel.

In the 28xx router console, I get the following error:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi ?

It seems that the router is checking every IPsec packet even though it?s not a peer of the VPN tunnel.

I checked the ?Cisco Error Message Decoder? tool and found the following:

?An IPSec packet was received that specified an SPI that does not exist in the SADB?

Once again, this router is not related in any way to the VPN tunnel, that?s why the SPI is not in his SADB.

Is there any way to avoid this checking procedure?? Or any other way to fix this situation??

Thanks in advance.



Re: Problems with VPN through 28xx router (CRYPTO-4-RECVD_PKT_IN

Hi Omar,

If 28xx is configured for remote access, try to remove the lines.

If not, enable NAT transparency on the Concentrator and VPN Client, and permit port 4500 UDP and 500 UDP through the 28xx.

Please rate if this helped.



New Member

Re: Problems with VPN through 28xx router (CRYPTO-4-RECVD_PKT_IN

Hi Daniel, thanks for the reply. I don?t know why I didn?t get an email notifying me about it.

The 28xx is not configured for remote access.

I?m going to enable the NAT transparency in the communication. I will get back to you as soon as I test it.

New Member

Re: Problems with VPN through 28xx router (CRYPTO-4-RECVD_PKT_IN


Thank you for your help. The problem was solved using IPSec/TCP.

The Cisco IPSec/UDP did not work and I didn't tried using NAT transparency (design requirements).



CreatePlease login to create content