04-03-2019 02:50 PM - edited 02-21-2020 09:36 PM
Hi all,
I deployed DMVPN using GRE over IPSec.This is first time DMVPN deployment.Tunnel ip also can ping each other.When i use sh crypto ikev2 sa is READY and sh crypto ipsec is also Active/Active. DMVPN is also up.when i ping spoke1 host to spoke2 host ,ping test is successful but i got below message.let me know what mean below message ? That mean my tunnel is running without encryption ? it mean GRE tunnel only work ?
000073: *Apr 1 02:57:33.515: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=198.1.1.2, prot=50, spi=0x56F02A78(1458580088), srcaddr=2.1.2.4, input interface=Tunnel0
Solved! Go to Solution.
04-03-2019 03:01 PM - edited 04-03-2019 03:12 PM
Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.
Do you receive these errors reguarly?
Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.
HTH
04-03-2019 03:01 PM - edited 04-03-2019 03:12 PM
Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.
Do you receive these errors reguarly?
Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.
HTH
04-04-2019 06:14 PM - edited 04-04-2019 06:38 PM
04-05-2019 05:26 AM
Hi,
As mentioned that this is a common issue with IPSec but actually this is not an issue. It is a security feature. Did you implement Phase2 or Phase3 DMVPM?
Also, check for both end phase1 and Phase2 timers and Keepalive configuration at all sites.
04-08-2019 01:34 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide