The user receives an Invalid SPI size error message on the VPN Client

TCC_2 · ‎06-22-2009

Core issue

The Cisco VPN Client receives the Invalid SPI size error message in its log file while initiating an IPSec tunnel with the VPN Server.

The message is sent to the VPN Client only in these instances:

The remote VPN Server becomes inoperative.
One of the VPN devices is completely reset, and it loses its Internet Key Exchange (IKE) Security Association (SA) with the other peer.
Misconfiguration in the VPN Server (misconfiguration in defining the NAT, IP address pool and the VPN group name).

Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE INVALID SPI NOTIFY message to the VPN device which initiated the VPN. This notification is sent using the IKE SA. If there is no IKE SA available, the VPN Server drops the packet.

Resolution

Check VPN Client configuration parameters, such as IPSec configuration (crypto maps and transform set), IP address pool configuration and the NAT configuration on the VPN Server.

If you use RSA certificates instead of preshared keys, select ISAKMP Identity Hostname instead of ISAKMP Identity address.

If the VPN Server is a PIX Firewall, make sure that you have issued the sysopt connection command on the PIX. Ensure that you have enabled NAT-T if there is any NAT/PAT device in between the VPN Client and VPN Server.

If the problem persists, create a new VPN group with the same attributes in the VPN Server, and try to connect using the VPN Client.