The Cisco VPN Client receives the Invalid SPI size error message in its log file while initiating an IPSec tunnel with the VPN Server.
The message is sent to the VPN Client only in these instances:
The remote VPN Server becomes inoperative.
One of the VPN devices is completely reset, and it loses its Internet Key Exchange (IKE) Security Association (SA) with the other peer.
Misconfiguration in the VPN Server (misconfiguration in defining the NAT, IP address pool and the VPN group name).
Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE INVALID SPI NOTIFY message to the VPN device which initiated the VPN. This notification is sent using the IKE SA. If there is no IKE SA available, the VPN Server drops the packet.
Check VPN Client configuration parameters, such as IPSec configuration (crypto maps and transform set), IP address pool configuration and the NAT configuration on the VPN Server.
If you use RSA certificates instead of preshared keys, select ISAKMP Identity Hostname instead of ISAKMP Identity address.
If the VPN Server is a PIX Firewall, make sure that you have issued the sysopt connection command on the PIX. Ensure that you have enabled NAT-T if there is any NAT/PAT device in between the VPN Client and VPN Server.
If the problem persists, create a new VPN group with the same attributes in the VPN Server, and try to connect using the VPN Client.
Hi,I'm having a problem routing LAN traffic out through the firewall. I've read the multiple posts with the same problem but their solutions have not worked for me. Traffic flow isInternet - Cisco ME3400 - Firepower2110 (ASA) - Switch - PC Netwo...
We are on ISE 2.4 and have configured AD <> ISE integration using WMI (to get information of AD users) Some providers suddenly went offline for no reason, we had to manually add back integration Is there a way to set an email alertin...
Hello, I recently tried to upgrade my ESA (virtual appliance) from 13.5.3-010 release to the latest GD release 220.127.116.112/Once i download the stuff, and try to install , few seconds after i have the following kind of error (attached an extract) ...
For some reason the router does not recognise “AnyConnect-eap” command at all? it’s a 2921 15.2 iOS and has securityk9 and base? I can only use “eap query-identity”? does this only work on IOS-XE?I’m in process of setting up flexVPN remote ...