Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC SPI Errors at NAT-T

Hi all,

 

I have had a fun time trying to get a IPSec Tunnel up between two companies. The remote end is behind a PAT device so they are using NAT-T. 

To successfully bring up the tunnel, I had to match both the public IP and the Phase 1 ID received from the device its self (which was a different IP). 

After working through some issues, we have the tunnel up and staying up (they had PFS active and I didn't).

Now before and after these PFS changes I am still getting the following log messages - 

 

 %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0xFFAAF7B7(4289394615), srcaddr=x.x.x.x

 

Reading the config is this just a sync problem? We have enabled DPD as well to ensure hosts are staying online. 

Thanks in advance,

 

Brad 

 

Everyone's tags (3)
1 REPLY
Cisco Employee

Brad, check out that "prot" ,

Brad, check out that "prot" , it's short for protocol. 

#17 is UDP. http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

You seem to be leaking in clear UDP packets.

Get a sniffer trace. If those are IKE packets - open a TAC case.

 

110
Views
0
Helpful
1
Replies
CreatePlease login to create content