Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
2
Replies

EasyVPN problems

Michael Ciulei
Level 1
Level 1

‎09-22-2009 05:43 AM - edited ‎03-04-2019 06:07 AM

Hi,

Cisco 2811 is VPN concentrator. For two days some users cannot connect to the device with EasyVPN Client.

We have issued the folowing commands and we discovered some errors.

I would like to know what these error means and what to do next.

Also we have a lot of logging inputs like :

002922: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=50, spi=0x9A5BD7FA(2589710330), srcaddr=yy.yy.yy.yy

002923: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=50, spi=0x9A5BD7FA(2589710330), srcaddr=yy.yy.yy.yy

002924: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=1273, sequence number=7195

002925: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=1273, sequence number=9303

002926: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed

connection id=1273, sequence number=13555

R1-VPN#sh crypto engine accelerator statistic

Errors:

ppq full errors : 1345 ppq rx errors : 0

no buffer : 0 replay errors : 474173

NR overflow : 0 pkts dropped : 1345

R1-VPN#sh crypto engine accelerator ring packet

Device: AIM-VPN/SSL-2

Location: AIM Slot: 0

DUMPING THE FIRST ENTRY IN TX, RX, RX POOL

PPQ_CMD_DESCR(0x3F805020): [0x10000, 0x5A65, 0x4420D68C, 0x40098A3C], count=805306371

PPQ_SRC_DESCR(0x3F806A80): [0xF748470, 0x10000588] 0x3F806060[238-RES] 03010554 4420D82C 40098A3C 30000003

F7F3801

0x0016C0[364-FREE] F7BFC81 F78C101 F7ADA81 F7A3581

0x001700[368-FREE] PPQ RING:

cmd ring: head = 238 tail =238

Dumping all the 256 tx cmd ring entries starting from current head

0x3F805020[238-CMD] 00010000 4420D994 4420D964 00000003

0x3F805030[239-CMD] 00010000 4420D994 4420D964 00000003

0x3F805040[240-CMD] 00010000 4420D994 4420D964 00000003

0x3F805050[241-CMD] 00010000 4420D994 4420D964 00000003

0x3F805060[242-CMD] 00010000 4420D994 4420D964 00000003

0x3F805070[243-CMD] 00010000 4420D994 4420D964 00000003

0x3F805080[244-CMD] 00010000 4420D994 4420D964 00000003

0x3F805090[245-CMD] 00010000 4420D994 4420D964 00000003

0x3F8050A0[246-CMD] 00010000 4420D994 4420D964 00000003

0x3F8050B0[247-CMD] 00010000 4420D994 4420D964 00000003

0x3F8050C0[248-CMD] 00010000 4420D994 4420D964 00000003

0x3F8050D0[249-CMD] 00010000 4420D994 4420D964 00000003

R1-VPN#sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)

Thanks

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎09-22-2009 08:36 AM

These can be caused by malformed packets or even IOS bugs.

To get to the bottom of the issue you have to work with the TAC.

0 Helpful

Lucien Avramov
Level 10
Level 10

‎09-22-2009 03:47 PM

There is bug : CSCsv43145 which is a cosmetic issue. Is this impacting your traffic at all? If not you can you try a later version than 12.4(24)T1 to get rid of that error message.

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.xx.xx.xx, prot=50, spi=0x9A5BD7FA(2589710330), srcaddr=yy.yy.yy.yy

This message could be also coming on the other side of your VPN. If the other side is a cisco router, do you have errors is in the logs as well?

0 Helpful
Customers Also Viewed These Support Documents