Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
2030
Views
0
Helpful
0
Comments

The %PIX-4-402101: decaps: recd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number error message is received on the PIX Firewall

TCC_2
Level 10
Level 10

‎06-22-2009 05:04 PM - edited ‎03-08-2019 06:21 PM

Core issue

The received IPsec packet specifies a security parameters index (SPI) that does not exist in the security association database (SADB). This can be a temporary condition due to slight differences in the aging of security associations (SAs) between the IPsec peers or it can be due to the clearing of the local SAs. This condition can also be caused by incorrect packets sent by the IPsec peer.

Note: This can also be an attack.

Resolution

The peer may not acknowledge that the local SAs have been cleared. If a new connection is established from the local router, the two peers can then reestablish successfully. Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new connection or contact the peer's administrator.

For more information about PIX Firewall syslog messages, refer to Cisco PIX Firewall System Log Messages, Version 6.3 and Cisco Security Appliance System Log Messages, Version 7.0.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents