cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
506
Views
0
Helpful
6
Replies

Серия RV34X

Oleh_SB
Level 1
Level 1

Здравствуйте.

Есть основной маршрутизатор Cisco ISR 4331 в датацентре и к нему есть подключения с филиалов по VPN IPSEC тунелям с маршрутизаторов Cisco RV042, Cisco RV340, Cisco RV345 (таких точек много). В логах машрутитизатора Cisco ISR 4331 вижу много таких ошибок: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=15.18.24.26, prot=50, spi=0x5DF97706(1576630022), srcaddr=17.21.13.3, input interface=GigabitEthernet0/0/0.

Даную ошибку вижу только на тунелях от серии RV34X! В чем проблема и как ее устранить?

6 Replies 6

Здравствуйте.

 

Смысл сообщения в том, что одна сторона туннеля IPSEC получила пакет с недопустимым SPI. SPI (индекс параметров безопасности) используется для идентификации SA (ассоциации безопасности) пакета, который содержит информацию, необходимую для обработки зашифрованного трафика. Обычно это сообщение указывает на то, что SA одноранговых узлов не синхронизированы, что иногда случается, когда SA устаревает и восстанавливается.

Чтобы вручную принудительно синхронизировать SA, введите команды «clear crypto isakmp» и «clear crypto sa». Кроме того, вы можете добавить команду

 

«crypto isakmp invalid-spi-recovery» <-- на ISR 4331

 

в глобальную конфигурацию маршрутов. Это заставит маршрутизаторы уведомить друг друга при получении этой ошибки, что должно запустить процесс синхронизации автоматически.

Попробывал ввести эти команды «clear crypto isakmp» и «clear crypto sa» - результат (80% тунелей возобновились нормально, другие 15% с долгой задржкой, а 5% - пришлось вручную переподключать). В логах ISR 4331 дальше есть эти ошибки.

Буду пробовать - «crypto isakmp invalid-spi-recovery».

Сколько у вас роутеров?

У нас 36 роутеров идет по тунелях к одному ISR 4331 (RV042 - 30шт, RV340 - 4шт, RV345 - 2шт).

«crypto isakmp invalid-spi-recovery» <-- на ISR 4331

 

Чуда не случилось - дальше в логах идут ошибки.

Кусочек лога за 3 часа:

*Nov 9 11:43:22.207: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:44:24.609: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:45:25.618: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:46:41.277: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:47:45.567: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:48:57.329: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:49:57.721: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:51:13.379: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:56:23.462: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:56:30.143: %CRYPTO-4-IKMP_NO_SA: IKE message from 81.126.135.20 has no SA and is not an initialization offer
*Nov 9 11:57:24.464: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:58:28.472: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:59:32.394: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:00:34.481: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:01:38.486: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:03:04.128: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:04:04.504: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:05:20.168: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:06:20.538: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:07:04.173: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 81.126.135.20
*Nov 9 12:07:36.190: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:08:04.442: %CRYPTO-4-IKMP_NO_SA: IKE message from 81.126.135.20 has no SA and is not an initialization offer
*Nov 9 12:08:36.553: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:09:52.196: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:10:52.568: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:12:08.193: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:13:08.543: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:14:24.181: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:15:24.539: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:16:40.162: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:17:40.533: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:18:51.843: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:19:56.508: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:21:12.140: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:22:12.484: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:23:28.132: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:24:28.498: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:25:44.117: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:26:44.471: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:28:45.453: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:29:45.811: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:31:01.462: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:32:01.826: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: