cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
6
Helpful
17
Replies

ipsec wrong spi CRYPTO-4-RECVD_PKT_INV_SPI

hi,

 

I am getting CRYPTO-4-RECVD_PKT_INV_SPI messages for some peers I have (IKEV2/VTI). If I understand it correctly it is normal and makes my side to generate new SPI? Problem is that it looks like other side generates new SPI before lifetime expires and it looks strange to me. Other side iz Azure

 

br

17 Replies 17

can I see 
show crypto session detail 

show crypto isakmp sa detail 

MHM

router#sh crypto ikev2 sa fvrf PARTNER_ER
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
221 aaaaaaaaaa/500 AAAAAAAA/500 PARTNER_ER/PARTNER_FW READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 27000/24973 sec

Tunnel-id Local Remote fvrf/ivrf Status
71 aaaaaaaaaa/500 BBBBBBBB/500 PARTNER_ER/PARTNER_FW READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 27000/16250 sec

IPv6 Crypto IKEv2 SA

router#sh crypto session fvrf PARTNER_ER detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN

Interface: TU1
Profile: PARTNER_IKEV2_PROFILE
Uptime: 06:56:29
Session status: UP-ACTIVE
Peer: AAAAAAAA port 500 fvrf: PARTNER_ER ivrf: PARTNER_FW
Phase1_id: AAAAAAAA
Desc: (none)
Session ID: 834
IKEv2 SA: local aaaaaaaaaa/500 remote AAAAAAAA/500 Active
Capabilities:D connid:221 lifetime:00:33:31
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 33472730 drop 0 life (KB/Sec) 4419209/7 hours, 13 mins
Outbound: #pkts enc'ed 79695623 drop 0 life (KB/Sec) 1814091/7 hours, 13 mins

Interface: TU2
Profile: PARTNER_IKEV2_PROFILE
Uptime: 04:31:06
Session status: UP-ACTIVE
Peer: BBBBBBBB port 500 fvrf: PARTNER_ER ivrf: PARTNER_FW
Phase1_id: BBBBBBBB
Desc: (none)
Session ID: 852
IKEv2 SA: local aaaaaaaaaa/500 remote BBBBBBBB/500 Active
Capabilities:D connid:71 lifetime:02:58:54
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 504876997 drop 0 life (KB/Sec) 4513073/7 hours, 26 mins
Outbound: #pkts enc'ed 822617509 drop 0 life (KB/Sec) 1867566/7 hours, 26 mins

 

IKEv2 is OK 
both tunnel are UP-Active 
check the routing I think you have asymmetric 
MHM

why do you think it is asymmetric? Everything is working fine .... I just would like to explain CRYPTO-4-RECVD_PKT_INV_SPI messages that I see every 5 or 6 minutes.

 

br

CRYPTO-4-RECVD_PKT_INV_SPI <<- this message meaning VTI receive invalid SPI so why remote peer send invalid SPI ?
two think make this issue 
A- asymmetric routing 
B- you dont use tunnel key with VTI 

MHM

if I change lifetimes on ipsec/ikeV2 profile will new valuse comes up after next rekey or I have to clear SAs?

Next time not rekey of phase2 but the phase1 re establish.

MHM

 

well ... new ipsec lifetimes are not applied after mannualy clear ikev2/ipsec  sa. New ikev2 is applied ok

Both peers use same lifetime?

If not then the lifetime of initiator peer will be use.

MHM

irrelevant ... new values are applied after I removed ipsec profile from vti interface and put it back

looks like these invalid spi errors are result of both peers have same lifetime settings

But lifetime is value agree by both peer.

I.e. not each peer use different lifetime.

The only thing make lifetime effect SA is using lifetime with kbytes not time.

In this case if one peer send traffic more than other then it lifetime can end quickly before remote peer lifetime end.

MHM

 looks like each peer has both lifetimes of its own. By using different lifetimes you avoid simultaneously rekey situation and these invalid spi events ... I guess

You can access to both peer?

If yes 

Show crypto ipsec sa 

Check the lifetime in both peer.

MHM

Review Cisco Networking for a $25 gift card