CRYPTO-4-RECVD_PKT_INV_SPI error - conflict ESP/AH protocol on UMA phone?
I have an annoying problem. I have a Cisco 871W router with a VPN tunnel to another location that works fine. If the tunnel is up, UMA enabled phones won't work on the connection and the router will log this error:
*Mar 29 01:44:37.791: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has in
valid spi for destaddr=xx.xx.x.xx, prot=50, spi=0x8884FEDE(2290417374), srcaddr=20
If I remove the crypto map off the external interface (FastEthernet 4) the UMA enabled phones work fine, but no VPN tunnel (obviously)! I even tried changing the VPN protocol from ESP to AH.
Does anyone know how I can have the tunnel up and also have the UMA phones work too?
Attached is the config... Does anyone have any suggestions on how I can fix this or how I should modify my config?
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has in valid spi for destaddr=xx.xx.x.xx, prot=50, spi=0x8884FEDE(2290417374), srcaddr=184.108.40.206
The above error states an IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.
To resolve this issue: If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.
Well, I know that my phone is attempting to establish some sort of tunnel to support UMA.
I also know that if I shut down the tunnel to another site (something completely separate) that the phone is able to establish it's tunnel and works great.
I DON'T know how to have my tunnel up AND have the phone establish IT'S tunnel.
I think the phone gets confused with the existing tunnel and as a result can't establish the connection that it needs. If I had multiple IP addresses I'd establish the tunnel on a separate address and have the phone go out on a different IP but I am not in that situation.
Any other thoughts or concrete ways I could circumvent this "conflict"/behavior?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...