CRYPTO-4-RECVD_PKT_INV_SPI causing outage between connections

Gambo8807 · ‎08-07-2023

CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.10, prot=50, spi=0x12C68E18(315002392), srcaddr=x.x.x.9, input interface=GigabitEthernet0/0/5

Hello all,

This is the error we are currently battling. The link this issue is happing on is GigabitEthernet0/0/3. We have been trying to resolve this for some time now with no luck. When this happens, this problem is resolved by doing a "shut, not shut" on GigabitEthernet0/0/3, which fixes it immediately however, it occurs every 8-12 hours. We have tried the SPI recovery command, and it is still persistent.

Things to note:

All configurations on both of the routers match (for IPSEC)

All timers match

We are using static routes for the entire network (requirement)

Dan Frey · ‎08-07-2023

Do you have isakmp keepalives or DPD turned on?

Gambo8807 · ‎08-08-2023

Hello Dan,

Running through the commands I am not seeing this enabled, is this something that we have isakmp profiles to enable? Or is this a global command that we are able to use? Currently, we are not using profiles.

Thank you for the help, I really appreciate it.

Dan Frey · ‎08-08-2023

If you are using isakmp commands then you are using IKEv1 and this can be deployed from global config "crypto isakmp keepalive 10 2". I would start by turning on keepalives and see if the problem persists or not. place this command on each device that is running ikev1/ipsec.

Gambo8807 · ‎08-09-2023

Thanks for the info Dan,

We tried that this morning and unfortunately, that did not resolve the issue at hand.