Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Contivity Client failed to establish a connection


I have configured a Cisco 870 to connect a cisco VPN Client installed on my private laptop into my network.

This connection works fine.

Now I have a notebook (from my company), on this notebook is a contivity vpn-client installed.

I am not able to establish a secure connection out of my LAN via this contivity client into my company.


While establishing the connection I see following lines in my router log

Dec 22 17:54:44: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for, prot=50, spi=0x1C59F1(1858033),


Re: Contivity Client failed to establish a connection


Here's the explanation for the error and recommended action.


A received IPSec packet specifies an SPI that does not exist in SADB. This may be a temporary condition because of slight differences in the aging of SAs between the IPSec peers or because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec peer. This activity could be considered a hostile event.

Recommended Action

If the local SAs have been cleared, the peer may not know. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. If the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.



New Member

Re: Contivity Client failed to establish a connection


yes I have read this article. But what I not understand is, this packets only have to pass through this router, they are not destined for the router.

Why does the crypto engine look into this packets, destined for a client in my LAN ?