cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1878
Views
0
Helpful
5
Replies
Highlighted
Beginner

EzVPN Error

Hello,

We have an EzVPN server configured on our Cisco ISR and everthing was working fine for the last few months. But recently I got an error from the server as below:

Dec  6 02:52:49.948: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=153.x.x.x, prot=50, spi=0xE42B394(239282372), srcaddr=132.x.x.x, input interface=GigabitEthernet0/1

Dec  6 02:52:54.616: %CRYPTO-4-IKMP_NO_SA: IKE message from 132.x.x.x has no SA and is not an initialization offer


The messages are being logged very frequently while the remote user conects the VPN. Please help me on this.

Regards,

Tony

http://yadhutony.blogspot.com

Regards, Tony http://yadhutony.blogspot.com
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

EzVPN Error

- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..

-Have you recently made any changes on the device which could have triggered this issue?

The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.

The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.

Please make sure that these commands are set.

- crypto isakmp invalid-spi-recovery

- crypto ipsec df-bit clear

- crypto ipsec fragmentation before-encryption

Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.

If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.

.

Regards,

Anuj

View solution in original post

5 REPLIES 5
Beginner

EzVPN Error

Can anyone help me on this. Still I didn't find a possible solution for this.

Regards,

Tony

http://yadhutony.blogspot.com

Regards, Tony http://yadhutony.blogspot.com
Beginner

EzVPN Error

- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..

-Have you recently made any changes on the device which could have triggered this issue?

The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.

The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.

Please make sure that these commands are set.

- crypto isakmp invalid-spi-recovery

- crypto ipsec df-bit clear

- crypto ipsec fragmentation before-encryption

Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.

If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.

.

Regards,

Anuj

View solution in original post

Beginner

EzVPN Error

Hello Anuj,

Thank you for the reply.

The error seems to be cosmetic since it is not making any major performance impact. Also I haven't made any changes to the machine, it started coming all of a sudden. So let me try with the commands and let you know the outcome.

Regards,

Tony

http://yadhutony.blogspot.com

Regards, Tony http://yadhutony.blogspot.com
Beginner

EzVPN Error

You're welcome.

Feel free to revert if issue persists.

Regards,

Anuj

Beginner

Re: EzVPN Error

Hello Anuj,

The issue get resolved. Thank you for your support.

Regards,

Tony

http://yadhutony.blogspot.com

Regards, Tony http://yadhutony.blogspot.com