cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
192
Views
0
Helpful
1
Replies
Highlighted
Beginner

IPSEC SPI Errors at NAT-T

Hi all,

 

I have had a fun time trying to get a IPSec Tunnel up between two companies. The remote end is behind a PAT device so they are using NAT-T. 

To successfully bring up the tunnel, I had to match both the public IP and the Phase 1 ID received from the device its self (which was a different IP). 

After working through some issues, we have the tunnel up and staying up (they had PFS active and I didn't).

Now before and after these PFS changes I am still getting the following log messages - 

 

 %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=17, spi=0xFFAAF7B7(4289394615), srcaddr=x.x.x.x

 

Reading the config is this just a sync problem? We have enabled DPD as well to ensure hosts are staying online. 

Thanks in advance,

 

Brad 

 

Everyone's tags (3)
1 REPLY 1
Cisco Employee

Brad, check out that "prot" ,

Brad, check out that "prot" , it's short for protocol. 

#17 is UDP. http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

You seem to be leaking in clear UDP packets.

Get a sniffer trace. If those are IKE packets - open a TAC case.