https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344684#M947595 <P>Hi,</P><P></P><P>I have a 1841 cisco router with ports and ip remote access to locally connected 2 firewalls.</P><P></P><P>Those firewalls stablish 2 vpn tunnels. 1 is up an the other one no.</P><P></P><P>This warning is show:</P><P>packet has invalid spi for dest address=213.171.249.86, prot=50 spi srcaddress=217.204.95.134.</P><P></P><P>why? ther is no crypto configured at router all vpn traffic is configured into the firewall</P><P></P><P>Whats wrong?</P><P></P><P>Best regards</P> Fri, 21 Feb 2020 11:44:25 GMT edgar-quintana 2020-02-21T11:44:25Z https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344684#M947595 <P>Hi,</P><P></P><P>I have a 1841 cisco router with ports and ip remote access to locally connected 2 firewalls.</P><P></P><P>Those firewalls stablish 2 vpn tunnels. 1 is up an the other one no.</P><P></P><P>This warning is show:</P><P>packet has invalid spi for dest address=213.171.249.86, prot=50 spi srcaddress=217.204.95.134.</P><P></P><P>why? ther is no crypto configured at router all vpn traffic is configured into the firewall</P><P></P><P>Whats wrong?</P><P></P><P>Best regards</P> Fri, 21 Feb 2020 11:44:25 GMT https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344684#M947595 edgar-quintana 2020-02-21T11:44:25Z https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344685#M947596 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Does this scenario / solution apply to your circumstance:</P><P>The %PIX-4-402101: decaps: recd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number error message is received on the PIX Firewall</P><P>VERSION 2 </P><P>Core issue</P><P> </P><P>The received IPsec packet specifies a security parameters index (SPI) that does not exist in the security association database (SADB). This can be a temporary condition due to slight differences in the aging of security associations (SAs) between the IPsec peers or it can be due to the clearing of the local SAs. This condition can also be caused by incorrect packets sent by the IPsec peer.</P><P>Note: This can also be an attack.</P><P> </P><P>Resolution</P><P> </P><P> </P><P>The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.</P><P>For more information about PIX Firewall syslog messages, refer to Cisco PIX Firewall System Log Messages, Version 6.3 and Cisco Security Appliance System Log Messages, Version 7.0.</P></BODY></HTML> Thu, 15 Oct 2009 23:33:14 GMT https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344685#M947596 asafayan 2009-10-15T23:33:14Z https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344686#M947597 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>As I told you, there are 2 firewalls behind the router, both has as default GW routers ip, 192.168.157.254. If I change the firewall's LAN ip from 192.168.157.252 to 192.168.157.251 it works... if router is switched off same error.. changing the ip and solution.</P><P></P><P></P><P>what's happening?</P><P></P><P>Sorry about this late response...I was ill</P><P></P><P>Best regards</P></BODY></HTML> Sat, 31 Oct 2009 20:27:48 GMT https://community.cisco.com/t5/network-security/2-firewall-and-1-cisco-router/m-p/1344686#M947597 edgar-quintana 2009-10-31T20:27:48Z