invalid spi

bjornarsb · ‎09-24-2006

IP tunnel that traverse an IPsec tunnel.

I guess that might result in bogus packets?

Sep 24 13:19:12.464 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.2, prot=50, spi=0x7117FCD1(1897397457), srcaddr=x.x.x.16

regards bjornarsb

ajagadee · ‎09-24-2006

Bjornar,

%CRYPTO-4-RECVD_PKT_INV_SPI : decaps: rec'd IPSEC packet has invalid spi for destaddr=[IP_address], prot=[dec], spi=[hex]([int]), srcaddr=[IP_address]

Explanation An IPSec packet was received that specified an SPI that does not exist in the SADB. This may be a temporary condition because of slight differences in aging of SAs between the IPSec peers, or this condition might be caused by local SAs that have been cleared. This condition may also be caused by bogus packets that were sent by the IPSec peer. Under some circumstances this would be considered a hostile event.

Recommended Action If the local SAs have been cleared, the peer may not be aware of this condition. In this case, if a new connection is established from the local router, the two peers may reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer administrator.

Let me know if it helps.

Regards,

Arul

bjornarsb · ‎09-24-2006

ok, but I wondered if IP tunnel over IPsec tunnel could result in bogus packets ?

m-haddad · ‎09-25-2006

Which IOS version do you have? I used to have this kind of problem and it turned to be a bug in the 12.4(5) version.

PLease rate of the post help,

Regards,

bjornarsb · ‎09-25-2006

System image file is "flash:c2800nm-adventerprisek9-mz.124-8.bin"

m-haddad · ‎09-26-2006

It is a deffered version. You have to upgrade your IOS. The problem should be resolved after that.

Please rate if I could help,

Thanks,

Regards,