Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
1
Replies

router error clarification

aviens
Level 1
Level 1

‎10-20-2004 10:26 AM - edited ‎03-02-2019 07:25 PM

i currently have a working VPN configured using Cisco routers. i recently placed one of the routers, and now recieve the following message on the other (non-new) router... "IKE message has no SA and is not an initialization offer." Can anyone explain what this is referring to?

the same router claims "received IPSEC packet has invalid SPI...". Again, clarification on this would be helpful.

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎10-20-2004 12:55 PM

Both of the messages are indications that negotiation is not working correctly between the routers. the first message of

IKE message has no SA and is not an initialization offer

indicates that the router received an ISAKMP message but the message did not have a valid Security Association (SA). In this situation ISAKMP expects to start by sending an initialization offer but this packet is not an initialization offer.

The second message of

received IPSEC packet has invalid SPI

is similar but it deals with an IPSec packet instead of an ISAKMP packet. The term SPI stands for Security Parameter Index and is a way to identify which (of potentially many Security Associations) SA is being used for this tunnel. The error message indicates that an IPSec packet has been received but that the SPI inserted by the sender does not match any currently valid SAs on the receiving station.

I would suggest that you compare the configurations of the two routers very carefully, focusing especially on the parts of the IPSec configuration such as the crypto map parameters.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents