Solved: IPSec tunnel No IKE

Sandip Barot · ‎10-27-2011

Hi

I got following the IPSec tunnel fluctuating between status of UP-Active to UP-NO-IKE and VPN drops.

In the logs I see following :

RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=2xx.xx.x.x, prot=50, spi=0x80AA1F1E(2158632734), srcaddr=1x.x.x.x

%CRYPTO-4-IKMP_NO_SA: IKE message from 1xx.xx.xx.xx has no SA and is not an initialization offer

Below, is the output of sh crypto isakmp sa

dst src state conn-id slot status

1.x.x.x 2.x.x.x QM_IDLE 19 0 ACTIVE

The status above changes as below after few moments.

UAT-PEER#sh crypto isakmp sa

dst src state conn-id slot status

1.x.x.x 2.x.x.x MM_NO_STATE 19 0 ACTIVE (deleted)

I could ping the peer outside VPN fine.

Can anyone please help me to understand what could be causing above ?

regards,

Sandip

Ionut.Hristea · ‎10-28-2011

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

View solution in original post

Eugene Khabarov · ‎10-28-2011

Can you please paste your configuration from both sides.

Sandip Barot · ‎10-30-2011

Hi Hriestea,

Thanks..it was indeed a strange connectivity issue.

Though I could do traceroute and ping from firewall without any drop, it was showing drop when I did ping from VPN.

Pinging each IP individually in route gave the IP which was causing issue and rerouting to the path through ISP resolved issue.

Thanks

Sandip

Ionut.Hristea · ‎10-28-2011

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

fb_webuser · ‎10-28-2011

Hi,

What are the 2 devices that connect? i had an issue between a cisco and a checkpoint...some IOS bug. Also, are your packets traversing a NAT . Turn on ipsec debugging. the issue maybe related to connectivity between the two sites. according to the log, the device was not able to identify the spi (which is an unique identifier of ipsec sa). when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when the device received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive".

Hope this helps

---

Posted by WebUser Ionut Hristea

fb_webuser · ‎10-28-2011

when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one

one possible way to resolve this issue is to apply isakmp keepalive.

---

Posted by WebUser Ionut Hristea

ranjit123 · ‎10-31-2011

Dear Sandip,

You can also use " crypto isakmp invalid-spi-recovery" command.

Regards,

Ranjit

IPSec tunnel No IKE

Cisco SD-WANルータとIOS-XE ルータ間での拠点間 IPsec VPN Tunnel 設定

This IKE change would need to

Configure IPsec Tunnel Between Cisco WLC and ISE

IPSec VPN tunneled traffic does not require an ACL?

Understanding IOS IPSec and IKE debugs - IKEv1 Main Mode.