cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

373
Views
10
Helpful
4
Replies
Participant

DMVPN using GRE over IPSec message

Hi all,

I deployed DMVPN using GRE over IPSec.This is first time DMVPN deployment.Tunnel ip also can ping each other.When i use sh crypto ikev2 sa is READY and sh crypto ipsec is also Active/Active. DMVPN is also up.when i ping spoke1 host  to spoke2 host ,ping test is successful but i got below message.let me know what mean below message ? That mean my tunnel is running without encryption ? it mean GRE tunnel only work ? 

 


000073: *Apr 1 02:57:33.515: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=198.1.1.2, prot=50, spi=0x56F02A78(1458580088), srcaddr=2.1.2.4, input interface=Tunnel0

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN using GRE over IPSec message

Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.


Do you receive these errors reguarly?


Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.

HTH

View solution in original post

4 REPLIES 4
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: DMVPN using GRE over IPSec message

Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.


Do you receive these errors reguarly?


Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.

HTH

View solution in original post

Participant

Re: DMVPN using GRE over IPSec message

Hi,

Not regularly sometime only.

the output of "show crypto ipsec sa" on both routers, and encaps|decaps are increasing.

Everyone's tags (3)
VIP Advocate

Re: DMVPN using GRE over IPSec message

Hi,

As mentioned that this is a common issue with IPSec but actually this is not an issue. It is a security feature. Did you implement Phase2 or Phase3 DMVPM?

 

Also, check for both end phase1 and Phase2 timers and Keepalive configuration at all sites.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!
Highlighted
Participant

Re: DMVPN using GRE over IPSec message

Hi ,

I used Phase 3 DMVPN.

Everyone's tags (3)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here