Hi,
I recently encountered a issue with a relatively simple config on a Cisco ASR920, we are simply bridging a service instance on one port to another port (which is working)
However we are getting crypto errors on the ASR920 for traffic that is inside the bridge, but the router does not have a bridge interface so I am confused as to why it is even inspecting packets
The below is repeated every minute, and appears to be a VRRP instance on the customers network
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=224.0.0.18, prot=51, spi=0xA00000E(167772174), srcaddr=10.0.0.14, input interface=TenGigabitEthernet0/0/24
Is anyone able to shed light on what is causing the router to inspect this traffic?
interface TenGigabitEthernet0/0/24
mtu 9216
no ip address
service instance 100 ethernet
encapsulation dot1q 100
rewrite ingress tag pop 1 symmetric
bridge-domain 100
!
service instance 999 ethernet
encapsulation default
!
service instance 3801 ethernet
description Te1/1
encapsulation dot1q 3801
rewrite ingress tag pop 1 symmetric
bridge-domain 3801
!
end
Bridge-domain 3801 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 300 second(s)
Maximum address limit: 16000
GigabitEthernet0/0/10 service instance 3801
TenGigabitEthernet0/0/24 service instance 3801
Nile Mac Address Entries
BD mac addr type ports
----------------------------------------------------------------------------------------------
3801 0000.5e00.0129 DYNAMIC Te0/0/24.Efp3801Thanks
