Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to Establish IPSEC VPN

Hi All,

We have two Cisco 837 Routers and these routers are connected point to point using IPoA. We have implemented IPSEC on this point to point link. IP subnet on Point to Point link is 10.1.1.0 /30.

Router A:

int ATM 0.1

ip address 10.1.1.1 255.255.255.252

Router B :

int ATM 0.1

ip address 10.1.1.2 255.255.255.252

I am recieving following message on Router A console and IPSEC tunnel is not establishing.

00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp

i for destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867),

srcaddr=10.1.1.1

Regards,

Mujeeb

WOL

5 REPLIES

Re: Unable to Establish IPSEC VPN

Hi,

The error details:

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([int]), srcaddr=[IP_address]

An IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.

Recommended Action: If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

You probably need to reconfigure the routers and test it again.

Rgds,

AK

New Member

Re: Unable to Establish IPSEC VPN

Dear AK,

Thanks for your support. I want to inform that the SA lifetime is set to default i.e 86400 sec on both peers.

Regards,

Mujeeb

Cisco Employee

Re: Unable to Establish IPSEC VPN

Hello rmujeeb81,

Would you run the following debugs and attach here for review:

debug cry isa

debug cry ipsec

New Member

Re: Unable to Establish IPSEC VPN

The same message I receive when establish a IPSEC tunnel, is possible that access list in both peers don't match, please copy your conf.

Re: Unable to Establish IPSEC VPN

check that the VPN ACL on Router A is a mirror of that on Router B, and that policies match.

then try the debugs suggested by hemendoz.

Sometimes you can also get this error if one end has been rebooted and the SPIs have not timed out at the other end.

433
Views
0
Helpful
5
Replies
CreatePlease login to create content