It is great idea to capture the logs. The meanings of the error are following:
1. %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([dec])
A received IPSec packet specifies an SPI that does not exist in SADB. This may be a temporary condition because of slight differences in the aging of SAs between the IPSec peers or because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec peer. This activity could be considered a hostile event.
Recommended Action: If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
2. %CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer
IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action: Contact the remote peer and the administrator of the remote peer.
The replay processing has failed. The failed replay processing may be a temporary condition caused by the wait for new SAs to be established. In the inbound case, this error might also be caused by an actual replay attack. This activity can be considered a hostile event.
Recommended Action: If the problem appears to be more than a transient one, contact the peer administrator.
4. %LINEPROTO-5-UPDOWN: Line protocol on Interface [chars], changed state to [chars]
The data link level line protocol has changed state.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :