10-04-2024 12:54 AM - edited 10-04-2024 12:57 AM
hi,
I am getting CRYPTO-4-RECVD_PKT_INV_SPI messages for some peers I have (IKEV2/VTI). If I understand it correctly it is normal and makes my side to generate new SPI? Problem is that it looks like other side generates new SPI before lifetime expires and it looks strange to me. Other side iz Azure
br
10-04-2024 12:58 AM
can I see
show crypto session detail
show crypto isakmp sa detail
MHM
10-04-2024 01:08 AM
router#sh crypto ikev2 sa fvrf PARTNER_ER
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
221 aaaaaaaaaa/500 AAAAAAAA/500 PARTNER_ER/PARTNER_FW READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 27000/24973 sec
Tunnel-id Local Remote fvrf/ivrf Status
71 aaaaaaaaaa/500 BBBBBBBB/500 PARTNER_ER/PARTNER_FW READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 27000/16250 sec
IPv6 Crypto IKEv2 SA
router#sh crypto session fvrf PARTNER_ER detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN
Interface: TU1
Profile: PARTNER_IKEV2_PROFILE
Uptime: 06:56:29
Session status: UP-ACTIVE
Peer: AAAAAAAA port 500 fvrf: PARTNER_ER ivrf: PARTNER_FW
Phase1_id: AAAAAAAA
Desc: (none)
Session ID: 834
IKEv2 SA: local aaaaaaaaaa/500 remote AAAAAAAA/500 Active
Capabilities:D connid:221 lifetime:00:33:31
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 33472730 drop 0 life (KB/Sec) 4419209/7 hours, 13 mins
Outbound: #pkts enc'ed 79695623 drop 0 life (KB/Sec) 1814091/7 hours, 13 mins
Interface: TU2
Profile: PARTNER_IKEV2_PROFILE
Uptime: 04:31:06
Session status: UP-ACTIVE
Peer: BBBBBBBB port 500 fvrf: PARTNER_ER ivrf: PARTNER_FW
Phase1_id: BBBBBBBB
Desc: (none)
Session ID: 852
IKEv2 SA: local aaaaaaaaaa/500 remote BBBBBBBB/500 Active
Capabilities:D connid:71 lifetime:02:58:54
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 504876997 drop 0 life (KB/Sec) 4513073/7 hours, 26 mins
Outbound: #pkts enc'ed 822617509 drop 0 life (KB/Sec) 1867566/7 hours, 26 mins
10-04-2024 01:12 AM
IKEv2 is OK
both tunnel are UP-Active
check the routing I think you have asymmetric
MHM
10-04-2024 01:16 AM
why do you think it is asymmetric? Everything is working fine .... I just would like to explain CRYPTO-4-RECVD_PKT_INV_SPI messages that I see every 5 or 6 minutes.
br
10-04-2024 01:20 AM
CRYPTO-4-RECVD_PKT_INV_SPI <<- this message meaning VTI receive invalid SPI so why remote peer send invalid SPI ?
two think make this issue
A- asymmetric routing
B- you dont use tunnel key with VTI
MHM
10-09-2024 11:06 AM
if I change lifetimes on ipsec/ikeV2 profile will new valuse comes up after next rekey or I have to clear SAs?
10-09-2024 11:09 AM
Next time not rekey of phase2 but the phase1 re establish.
MHM
10-09-2024 12:19 PM
well ... new ipsec lifetimes are not applied after mannualy clear ikev2/ipsec sa. New ikev2 is applied ok
10-09-2024 12:33 PM
Both peers use same lifetime?
If not then the lifetime of initiator peer will be use.
MHM
10-09-2024 12:40 PM
irrelevant ... new values are applied after I removed ipsec profile from vti interface and put it back
10-10-2024 12:24 AM
looks like these invalid spi errors are result of both peers have same lifetime settings
10-10-2024 12:32 AM
But lifetime is value agree by both peer.
I.e. not each peer use different lifetime.
The only thing make lifetime effect SA is using lifetime with kbytes not time.
In this case if one peer send traffic more than other then it lifetime can end quickly before remote peer lifetime end.
MHM
10-10-2024 12:40 AM
looks like each peer has both lifetimes of its own. By using different lifetimes you avoid simultaneously rekey situation and these invalid spi events ... I guess
10-10-2024 12:42 AM
You can access to both peer?
If yes
Show crypto ipsec sa
Check the lifetime in both peer.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide