Error Message - %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[int], prot=[dec], spi=0x[hex]([dec]), (ONEMIN)
Explanation - A received IPSEC packet specifies an SPI that does not exist in the security association database (SADB). This may be a temporary condition resulting from slight differences in the aging of SAs between the IPSEC peers, or because the local SAs have been cleared. It may also be caused by bogus packets being sent by the IPSEC peer. Some might consider this a hostile event.
Recommended Action - If the local SAs have been cleared, the peer may not know this. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...