Strange Log on Catalyst 4500 L3 Switch

naveen98 · ‎11-21-2023

Dear All,

We have a C4500 switch running IOS-XE in our environment and nearly 30 customers using this L3 switch as a gateway to access the internet. We are receving below log on our switch without doing any config changes to it. Also, there are no any IPSec tunnels terminating at the Switch but some above mentioned customers are using IPSec at their environments. Kindly support on identifying this log.

VLAN 165 is the VLAN that this switch using to connect to our (ISP) internet gateway. Appeared dest. addresses on the logs are our customer public IP's.

Nov 20 04:31:53.818 LKT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.227.245.175, prot=50, spi=0x2D0C0000(755761152), srcaddr=202.113.98.96, input interface=Vlan165
Nov 20 11:25:44.778 LKT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.227.245.0, prot=50, spi=0xAC370000(2889285632), srcaddr=14.226.65.120, input interface=Vlan165
Nov 20 16:48:20.360 LKT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.227.245.169, prot=50, spi=0x32D30000(852688896), srcaddr=208.102.92.10, input interface=Vlan165
Nov 21 08:31:53.157 LKT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=103.227.245.175, prot=50, spi=0xA9630000(2841837568), srcaddr=14.226.65.120, input interface=Vlan165

balaji.bandi · ‎11-21-2023

Looks for me kind of Attack, if this is connected Public IP or some other device randomly sending this information. (check may be one of the device vulenarble as i guess)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎11-21-2023

The best solution is using acl and apply to interface deny all ipsec traffic and allow other.

It ISP issue not yours.

M02@rt37 · ‎11-21-2023

Hello @naveen98

The log messages you're seeing indicate that the Catalyst 4500 switch has received IPsec packets with invalid SPI values for a specific destination address. The SPI is used to uniquely identify and manage multiple security associations for IPsec communication.

Since the destination addresses mentioned in the logs are public IP, is it possible to contact the customers using those public IPs. They might have insights into any changes or issues on their end....

If destination is Unknown from your side... possible attack ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

jjassies · ‎11-29-2023

Funny enough we have been having the same issue on a customer router we manage. The router is only used as an DSL termination point and is running no VPN tunnels. Exactly the same as IP adres and a couple others.

*Nov 16 15:51:57.172: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x528D0000(1384972288), srcaddr=202.113.98.96, input interface=Dialer2
*Nov 17 03:04:03.715: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x8CC10000(2361458688), srcaddr=202.113.98.96, input interface=Dialer2
*Nov 18 19:20:58.655: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x5770000(91684864), srcaddr=14.226.65.120, input interface=Dialer1
*Nov 21 05:20:59.651: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x4B3C0000(1262223360), srcaddr=14.226.65.120, input interface=Dialer1
*Nov 21 22:13:52.308: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x9C620000(2623668224), srcaddr=14.226.65.120, input interface=Dialer1
*Nov 22 21:25:17.606: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x1D400000(490733568), srcaddr=208.102.92.10, input interface=Dialer1
*Nov 24 11:16:58.812: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50,spi=0x81C80000(2177368064), srcaddr=14.226.65.120, input interface=Dialer1

Also thinking about configuring an ACL on the router to block this. We have also been having issues with this exact router with the router being unreachable. It correlates roughly to the time of these logs but have yet to find a clear cause.

Klaas80 · ‎11-29-2023

We also see these logging entries, dozens of them. We have various ip subnets on the router, which all appear in the destaddr.

Nov 27 01:36:05.892: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x8030000(134414336), srcaddr=208.102.92.10, input interface=x
Nov 27 05:09:27.767: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xBDC00000(3183476736), srcaddr=14.226.65.120, input interface=x
Nov 27 07:58:46.829: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x22370000(574029824), srcaddr=14.226.65.120, input interface=x
Nov 27 09:02:19.604: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x43580000(1129840640), srcaddr=14.226.65.120, input interface=x
Nov 27 11:20:35.512: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x7EF80000(2130182144), srcaddr=14.226.65.120, input interface=x
Nov 27 21:18:35.835: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x67B00000(1739587584), srcaddr=14.226.65.120, input interface=x
Nov 27 22:21:01.674: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x9C160000(2618687488), srcaddr=14.226.65.120, input interface=x
Nov 28 01:26:38.456: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x45890000(1166606336), srcaddr=208.102.92.10, input interface=x
Nov 28 01:33:40.396: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xB7410000(3074490368), srcaddr=14.226.65.120, input interface=x
Nov 28 08:02:10.595: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xB8D70000(3101097984), srcaddr=14.226.65.120, input interface=x
Nov 28 08:55:28.354: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xABE20000(2883715072), srcaddr=14.226.65.120, input interface=x
Nov 29 01:40:45.632: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x24910000(613482496), srcaddr=14.226.65.120, input interface=x
Nov 29 09:16:31.634: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x352F0000(892272640), srcaddr=14.226.65.120, input interface=x
Nov 29 12:39:44.812: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x64E50000(1692729344), srcaddr=14.226.65.120, input interface=x
Nov 29 18:10:25.856: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x7C2E0000(2083389440), srcaddr=14.226.65.120, input interface=x
Nov 29 18:34:56.261: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xB1A10000(2980118528), srcaddr=14.226.65.120, input interface=x

I've seen these logging entries from the beginning of November, with various source addresses. Perhaps some sort of attack is going on.