Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
5
Replies

Unable to Establish IPSEC VPN

rmujeeb81
Level 1
Level 1

‎06-08-2006 10:08 PM - edited ‎02-21-2020 12:57 AM

Hi All,

We have two Cisco 837 Routers and these routers are connected point to point using IPoA. We have implemented IPSEC on this point to point link. IP subnet on Point to Point link is 10.1.1.0 /30.

Router A:

int ATM 0.1

ip address 10.1.1.1 255.255.255.252

Router B :

int ATM 0.1

ip address 10.1.1.2 255.255.255.252

I am recieving following message on Router A console and IPSEC tunnel is not establishing.

00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp

i for destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867),

srcaddr=10.1.1.1

Regards,

Mujeeb

WOL

0 Helpful
5 Replies 5

a.kiprawih
Level 7
Level 7

‎06-09-2006 11:15 AM

Hi,

The error details:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([int]), srcaddr=[IP_address]

An IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.

Recommended Action: If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

You probably need to reconfigure the routers and test it again.

Rgds,

AK

0 Helpful

rmujeeb81
Level 1
Level 1
In response to a.kiprawih

‎06-10-2006 02:56 AM

Dear AK,

Thanks for your support. I want to inform that the SA lifetime is set to default i.e 86400 sec on both peers.

Regards,

Mujeeb

0 Helpful

hemendoz
Cisco Employee
Cisco Employee

‎06-29-2006 06:27 PM

Hello rmujeeb81,

Would you run the following debugs and attach here for review:

debug cry isa

debug cry ipsec

0 Helpful

omar.p
Level 1
Level 1

‎07-01-2006 05:31 PM

The same message I receive when establish a IPSEC tunnel, is possible that access list in both peers don't match, please copy your conf.

0 Helpful

grant.maynard
Level 4
Level 4

‎07-03-2006 04:55 AM

check that the VPN ACL on Router A is a mirror of that on Router B, and that policies match.

then try the debugs suggested by hemendoz.

Sometimes you can also get this error if one end has been rebooted and the SPIs have not timed out at the other end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card