06-08-2006 10:08 PM - edited 02-21-2020 12:57 AM
Hi All,
We have two Cisco 837 Routers and these routers are connected point to point using IPoA. We have implemented IPSEC on this point to point link. IP subnet on Point to Point link is 10.1.1.0 /30.
Router A:
int ATM 0.1
ip address 10.1.1.1 255.255.255.252
Router B :
int ATM 0.1
ip address 10.1.1.2 255.255.255.252
I am recieving following message on Router A console and IPSEC tunnel is not establishing.
00:51:24: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid sp
i for destaddr=10.1.1.2, prot=50, spi=0x6360ABFB(1667279867),
srcaddr=10.1.1.1
Regards,
Mujeeb
WOL
06-09-2006 11:15 AM
Hi,
The error details:
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([int]), srcaddr=[IP_address]
An IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.
Recommended Action: If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
You probably need to reconfigure the routers and test it again.
Rgds,
AK
06-10-2006 02:56 AM
Dear AK,
Thanks for your support. I want to inform that the SA lifetime is set to default i.e 86400 sec on both peers.
Regards,
Mujeeb
06-29-2006 06:27 PM
Hello rmujeeb81,
Would you run the following debugs and attach here for review:
debug cry isa
debug cry ipsec
07-01-2006 05:31 PM
The same message I receive when establish a IPSEC tunnel, is possible that access list in both peers don't match, please copy your conf.
07-03-2006 04:55 AM
check that the VPN ACL on Router A is a mirror of that on Router B, and that policies match.
then try the debugs suggested by hemendoz.
Sometimes you can also get this error if one end has been rebooted and the SPIs have not timed out at the other end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: