The received IPsec packet specifies a security parameters index (SPI) that does not exist in the security association database (SADB). This can be a temporary condition due to slight differences in the aging of security associations (SAs) between the IPsec peers or it can be due to the clearing of the local SAs. This condition can also be caused by incorrect packets sent by the IPsec peer.
Note: This can also be an attack.
The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.