cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

IPSEC packet has invalid spi

cciesec2011
Level 3
Level 3

I have a very simple LAN-2-LAN between two cisco routers running IOS version 12.4(15)T8 as follows:

RouterA:

crypto isakmp key test123 address 4.2.97.15 no-xauth

crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400

no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac

crypto map vpn 10 ipsec-isakmp
set peer 4.2.97.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn

interface FastEthernet0/0
ip address 207.15.205.15 255.255.255.0
speed 100
full-duplex
crypto map vpn

ip access-list extended vpn
permit ip 129.174.15.0 0.0.0.255 129.174.16.0 0.0.0.255


RouterB:
crypto isakmp key test123 address 207.15.205.15 no-xauth

crypto isakmp policy 1
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 86400

no crypto ipsec nat-transparency udp-encapsulation
crypto ipsec transform-set tset esp-aes 256 esp-sha-hmac

crypto map vpn 10 ipsec-isakmp
set peer 207.15.205.15
set security-association lifetime seconds 3600
set transform-set tset
set pfs group5
match address vpn

interface FastEthernet0/0
ip address 4.2.97.15 255.255.255.0
speed 100
full-duplex
crypto map vpn

ip access-list extended vpn
permit ip 129.174.16.0 0.0.0.255 129.174.15.0 0.0.0.255

Every now and then I am seeing this message in the log file:

Jul 27 00:25:20.603: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd
IPSEC packet has invalid spi for destaddr=207.15.205.15, prot=50,
spi=0x681E0955(1746798933), srcaddr=4.2.97.15.

Why am I seeing this message?  The VPN peer between two router is very stable without any errors.

I've asked several ccie consultant folks and none of them is able to provide me with a satifactory answer regarding this message.

Anyone know why?  Thanks in advance.

Who Me Too'd this topic