Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

crypto isakmp invalid-spi-recovery

Hi All,

I have an ISR with live lan2lan VPN tunnels and traffic on it.

The first question is if  "crypto isakmp invalid-spi-recovery" can be enabled on the chassis with no harm to the live VPN tunnels.

The second question is if "crypto isakmp invalid-spi-recovery' is enabled only at one end of the VPN tunnel, will it prevent somehow VPN tunnel from forming SAs? (I do not have access to the remote VPN endpoints and some of them actually run non-IOS appliances like ASA).


Cisco Employee

crypto isakmp invalid-spi-recovery

the command you're listing is recovery mechanism in case two sides of the tunnel get unsynchronized.

It will send a delete to remote (static) peer if we detect that said peer is sending us packets with SPIs we do not have.

This should cause another round of negotiations to form new SAs.

New Member

crypto isakmp invalid-spi-recovery


thank for the explanation.

But actually my first question is:

1. If I can issue this command on the live environment, where I have multiple live L2L VPN tunnels. Will it kill the live VPN tunnels or make them renegotiate?

My second question is:

2. If I enable it on my end, and the other end either does not support it or does not have it on the configuration of their firewall or router, will it prevent establishing VPN tunnels? I.e. can this command be used on one end only?