Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Invalid Security Parameter Index


We have implemented DMVPN on all our local office using static routes as the rule on which interesting traffic to use the tunnel.

On the HUB router, we have local office connecting to our DMVPN. Our international office is connected via normal GRE Tunnel for the mean time.

This solution has been running since December 2007 and recently we have been getting a lot of error logs on the HUB

003169: Sep 26 2008 14:04:34.570 EST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=DMVPN HUB, prot=50, spi=0xF02E779F(4029577119), srcaddr=DMVPN SPOKE

I have program "crypto isakmp invalid-spi-recovery" on the global command and we are still getting the error after clear the IKE and IPSec SAs

Help please...




Re: Invalid Security Parameter Index

Error Message - %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=[int], prot=[dec], spi=0x[hex]([dec]), (ONEMIN)

Explanation - A received IPSEC packet specifies an SPI that does not exist in the security association database (SADB). This may be a temporary condition resulting from slight differences in the aging of SAs between the IPSEC peers, or because the local SAs have been cleared. It may also be caused by bogus packets being sent by the IPSEC peer. Some might consider this a hostile event.

Recommended Action - If the local SAs have been cleared, the peer may not know this. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.