11-03-2021 02:13 AM
Здравствуйте.
Есть основной маршрутизатор Cisco ISR 4331 в датацентре и к нему есть подключения с филиалов по VPN IPSEC тунелям с маршрутизаторов Cisco RV042, Cisco RV340, Cisco RV345 (таких точек много). В логах машрутитизатора Cisco ISR 4331 вижу много таких ошибок: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=15.18.24.26, prot=50, spi=0x5DF97706(1576630022), srcaddr=17.21.13.3, input interface=GigabitEthernet0/0/0.
Даную ошибку вижу только на тунелях от серии RV34X! В чем проблема и как ее устранить?
11-03-2021 02:31 AM
Здравствуйте.
Смысл сообщения в том, что одна сторона туннеля IPSEC получила пакет с недопустимым SPI. SPI (индекс параметров безопасности) используется для идентификации SA (ассоциации безопасности) пакета, который содержит информацию, необходимую для обработки зашифрованного трафика. Обычно это сообщение указывает на то, что SA одноранговых узлов не синхронизированы, что иногда случается, когда SA устаревает и восстанавливается.
Чтобы вручную принудительно синхронизировать SA, введите команды «clear crypto isakmp» и «clear crypto sa». Кроме того, вы можете добавить команду
«crypto isakmp invalid-spi-recovery» <-- на ISR 4331
в глобальную конфигурацию маршрутов. Это заставит маршрутизаторы уведомить друг друга при получении этой ошибки, что должно запустить процесс синхронизации автоматически.
11-03-2021 06:37 AM
Попробывал ввести эти команды «clear crypto isakmp» и «clear crypto sa» - результат (80% тунелей возобновились нормально, другие 15% с долгой задржкой, а 5% - пришлось вручную переподключать). В логах ISR 4331 дальше есть эти ошибки.
Буду пробовать - «crypto isakmp invalid-spi-recovery».
11-03-2021 01:42 PM
Сколько у вас роутеров?
11-04-2021 01:26 AM
У нас 36 роутеров идет по тунелях к одному ISR 4331 (RV042 - 30шт, RV340 - 4шт, RV345 - 2шт).
11-05-2021 12:38 AM
«crypto isakmp invalid-spi-recovery» <-- на ISR 4331
Чуда не случилось - дальше в логах идут ошибки.
11-09-2021 04:56 AM
Кусочек лога за 3 часа:
*Nov 9 11:43:22.207: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:44:24.609: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:45:25.618: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:46:41.277: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:47:45.567: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:48:57.329: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:49:57.721: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:51:13.379: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0xFE668DD2(4268133842), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:56:23.462: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:56:30.143: %CRYPTO-4-IKMP_NO_SA: IKE message from 81.126.135.20 has no SA and is not an initialization offer
*Nov 9 11:57:24.464: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:58:28.472: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 11:59:32.394: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:00:34.481: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:01:38.486: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:03:04.128: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:04:04.504: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:05:20.168: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:06:20.538: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:07:04.173: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 81.126.135.20
*Nov 9 12:07:36.190: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:08:04.442: %CRYPTO-4-IKMP_NO_SA: IKE message from 81.126.135.20 has no SA and is not an initialization offer
*Nov 9 12:08:36.553: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:09:52.196: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:10:52.568: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:12:08.193: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:13:08.543: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:14:24.181: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:15:24.539: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:16:40.162: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:17:40.533: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:18:51.843: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:19:56.508: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:21:12.140: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:22:12.484: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:23:28.132: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:24:28.498: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:25:44.117: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:26:44.471: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:28:45.453: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:29:45.811: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:31:01.462: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
*Nov 9 12:32:01.826: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=185.128.234.226, prot=50, spi=0x5C8BEA66(1552673382), srcaddr=81.126.135.20, input interface=GigabitEthernet0/0/0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: