Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec tunnel No IKE

Hi

I got following the IPSec tunnel fluctuating between status of UP-Active to UP-NO-IKE and VPN drops.

In the logs I see following :

RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2xx.xx.x.x, prot=50, spi=0x80AA1F1E(2158632734), srcaddr=1x.x.x.x

%CRYPTO-4-IKMP_NO_SA: IKE message from 1xx.xx.xx.xx  has no SA and is not an initialization offer

Below, is the output of sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   QM_IDLE             19    0 ACTIVE     

The status above changes as below after few moments.

UAT-PEER#sh crypto isakmp sa

dst             src             state          conn-id slot status

1.x.x.x     2.x.x.x   MM_NO_STATE         19    0 ACTIVE (deleted)

I could ping the peer outside VPN fine.

Can anyone please help me to understand what could be causing above ?

regards,

Sandip

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

IPSec tunnel No IKE

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

6 REPLIES

IPSec tunnel No IKE

Can you please paste your configuration from both sides.

New Member

IPSec tunnel No IKE

Hi Hriestea,

Thanks..it was indeed a strange connectivity issue.

Though I could do traceroute and ping from firewall without any drop, it was showing drop when I did ping from VPN.

Pinging each IP individually in route gave the IP  which was causing issue and rerouting to the path through ISP resolved issue.

Thanks

Sandip

New Member

IPSec tunnel No IKE

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

Silver

IPSec tunnel No IKE

Hi,

What are the 2 devices that connect? i had an issue between a cisco and a checkpoint...some IOS bug. Also, are your packets traversing a NAT . Turn on ipsec debugging. the issue maybe related to connectivity between the two sites. according to the log, the device was not able to identify the spi (which is an unique identifier of ipsec sa). when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when the device received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive".

Hope this helps

---

Posted by WebUser Ionut Hristea

Silver

IPSec tunnel No IKE

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

---

Posted by WebUser Ionut Hristea

New Member

IPSec tunnel No IKE

Dear Sandip,

You can also use " crypto isakmp invalid-spi-recovery" command.

Regards,

Ranjit

2843
Views
0
Helpful
6
Replies