07-26-2010 05:45 PM - edited 02-21-2020 04:45 PM
I have a very simple LAN-2-LAN between two cisco routers running IOS version 12.4(15)T8 as follows:
RouterA:
crypto isakmp key test123 address 4.2.97.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 4.2.97.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 207.15.205.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.15.0 0.0.0.255 129.174.16.0 0.0.0.255
RouterB:
crypto isakmp key test123 address 207.15.205.15 no-xauth
crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400
no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
set peer 207.15.205.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn
interface FastEthernet0/0
ip address 4.2.97.15 255.255.255.0
speed 100
full-duplex
crypto map vpn
ip access-list extended vpn
permit ip 129.174.16.0 0.0.0.255 129.174.15.0 0.0.0.255
Every now and then I am seeing this message in the log file:
Jul 27 00:25:20.603: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
IPSEC packet has invalid spi for destaddr=207.15.205.15, prot=50,
spi=0x681E0955(1746798933), srcaddr=4.2.97.15.
Why am I seeing this message? The VPN peer between two router is very stable without any errors.
I've asked several ccie consultant folks and none of them is able to provide me with a satifactory answer regarding this message.
Anyone know why? Thanks in advance.