Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN error invalid spi urgent help

we are running MPLS VPN using Tunnel0 interface , we go the frequent below error message in router conole , it seems clinet end router holding old SA, it is not refereshed. pl advise, urgent

INCDR#

*Dec 29 09:19:11.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x2968B91(43420561), srcaddr=10.51.105.1

*Dec 29 09:20:55.197: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0x27BD4575(666715509), srcaddr=10.51.105.1

*Dec 29 09:22:50.185: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=192.168.118.62, prot=50, spi=0xB243ED01(2990796033), srcaddr=10.51.105.1

INCHENNAIDR#

INCHENNAIDR#ping 10.51.105.1

4 REPLIES

Re: VPN error invalid spi urgent help

You need to check the source of the VPN tunnel, the attached logs indicate that the device has received packets for a destination of 192.168.118.62 - is this the tunnel IP address of the MPLS connection? And an originating IP of 10.5.105.1 is this the remote end?

New Member

Re: VPN error invalid spi urgent help

You can try "crypto isakmp invalid-spi-recovery"

Also if you're problem is the client holding old sa's I suggest you put in "crypto isakmp keepalive 10 periodic"

New Member

Re: VPN error invalid spi urgent help

i have already configured "crypto isakmp invalid-spi-recovery "

now i have added "crypto isakmp keepalive 10 periodic "

i will update the result soon , other wise the client has to clear the SA in their router.Is it correct ?

New Member

Re: VPN error invalid spi urgent help

What is the problem you're having exactly. The invalid SPI maybe not be the issue rather the symptom of a bigger configuration problem. Can you post your confi, or maybe describe the network a little more?

Thanks,

595
Views
0
Helpful
4
Replies
CreatePlease login to create content