Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Is IPSec SA removed when related tunnel I/F goes to down ?

Hi everyone,

Router received "%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for" message.

I understand this message means that the router received an IPSec packet with a SPI that does not exit in the local SA database.

This router is connecting to the IPSec peer via GRE tunnel and when this message displayed on the router, router's tunnel interface went to down and then up but the physical interface (tunnel source interface) remained up, not go down.

My question is,

Is SPI/IPSec SA removed from local SA database when the related tunnel interface down ?

and

I understand IPSec SA lifetime is not "zero clearing" by sending matched (against crypto map) packet same as dialer idle time, this means IPSec SA lifetime only decrement from the configured timer (default 3600 seconds) even if the matched packet send to peer.

Is my understanding is true ?

Your information would be appreciated.

Shinichi

3 REPLIES
Silver

Re: Is IPSec SA removed when related tunnel I/F goes to down ?

If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local

router, the two peers may reestablish connection successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

Re: Is IPSec SA removed when related tunnel I/F goes to down ?

New Member

Re: Is IPSec SA removed when related tunnel I/F goes to down ?

If you enable the ISAKMP keepalive option, then both peers will recognize that the interface on either side went down for a brief moment of time (if a keepalive timeout occurs). If that happens, the tunnel will be brought down on both sides and will reestablish again if interesting traffic passes by

Hope this helps.

146
Views
0
Helpful
3
Replies
CreatePlease to create content