The Cisco VPN Client receives the Invalid SPI size error message in its log file while initiating an IPSec tunnel with the VPN Server.
The message is sent to the VPN Client only in these instances:
The remote VPN Server becomes inoperative.
One of the VPN devices is completely reset, and it loses its Internet Key Exchange (IKE) Security Association (SA) with the other peer.
Misconfiguration in the VPN Server (misconfiguration in defining the NAT, IP address pool and the VPN group name).
Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE INVALID SPI NOTIFY message to the VPN device which initiated the VPN. This notification is sent using the IKE SA. If there is no IKE SA available, the VPN Server drops the packet.
Check VPN Client configuration parameters, such as IPSec configuration (crypto maps and transform set), IP address pool configuration and the NAT configuration on the VPN Server.
If you use RSA certificates instead of preshared keys, select ISAKMP Identity Hostname instead of ISAKMP Identity address.
If the VPN Server is a PIX Firewall, make sure that you have issued the sysopt connection command on the PIX. Ensure that you have enabled NAT-T if there is any NAT/PAT device in between the VPN Client and VPN Server.
If the problem persists, create a new VPN group with the same attributes in the VPN Server, and try to connect using the VPN Client.
We are trying to configure Cisco Phones with a VPN to connect to our VPN Cluster. We are using Cisco 8851 phones. We have 2 VPN clusters. One contains 6 ASAs and the other contains 3. Those are in geographically separated data cent...
Hi Team, I am trying to upgrade ISE from v2.4 to 2.7 currenlty and am stuck at an annoying part where I am unable to get upgrade bundle copied over from a Windows Server based SFTP repository to ISE local disk. The port 22 communication is...
Hi,I would like to ask for experts' opinion on how to address the following design scenario: We currently rely on Posture (Anyconnect based) for NAC via ISE for granting endpoint access to our network (per VPN as well as WLC based) based on a given s...
Hi guys,Running ACS v5.8 and created an admin account in the ReadOnlyAdmin role but when they try and login to web gui(https://<ip address>/acsadmin) they get Access Denied. If I make them a SuperUser they get on fine........any ideas for ReadOnlyAd...