08-07-2023 10:55 AM
CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.10, prot=50, spi=0x12C68E18(315002392), srcaddr=x.x.x.9, input interface=GigabitEthernet0/0/5
Hello all,
This is the error we are currently battling. The link this issue is happing on is GigabitEthernet0/0/3. We have been trying to resolve this for some time now with no luck. When this happens, this problem is resolved by doing a "shut, not shut" on GigabitEthernet0/0/3, which fixes it immediately however, it occurs every 8-12 hours. We have tried the SPI recovery command, and it is still persistent.
Things to note:
All configurations on both of the routers match (for IPSEC)
All timers match
We are using static routes for the entire network (requirement)
08-07-2023 03:43 PM
Do you have isakmp keepalives or DPD turned on?
08-08-2023 06:13 AM
Hello Dan,
Running through the commands I am not seeing this enabled, is this something that we have isakmp profiles to enable? Or is this a global command that we are able to use? Currently, we are not using profiles.
Thank you for the help, I really appreciate it.
08-08-2023 07:24 AM
If you are using isakmp commands then you are using IKEv1 and this can be deployed from global config "crypto isakmp keepalive 10 2". I would start by turning on keepalives and see if the problem persists or not. place this command on each device that is running ikev1/ipsec.
08-09-2023 10:56 AM
Thanks for the info Dan,
We tried that this morning and unfortunately, that did not resolve the issue at hand.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide