Hi Marcin,

thanks a lot for your answer. I have found this Bug-ID too in the meantime ;-).

Sadly there is no fixed version available at this time...i will save the Bug-ID to my watchlist.

Thanks,

N.

Norbert,

I think it's something not populated properly in bug toolkit.

I just discussed this with people involved in commiting the fix, they mentioned it should be available in 3.7.

Marcin

Hey Marcin,

thank you for this hint. Is this an internal information only, since i cannot find anything related in the release notes....moreover i cannot find the release notes for 3.7.0S nor 3.6.2S ;-)

N.

Norbert,

3.6 and 3.7 release notes

http://www.cisco.com/en/US/docs/routers/asr1000/release/notes/asr1k_feats_important_notes_37s.html

M.

Marcin,

thank you for the link. I only have looked via the Release Notes link in the download center and this link may not be up to date...

In the caveats section for 3.6.x or 3.7.0 there is no mention about the CSCtw69096 Bug ID.

I think it would be best to wait for 3.7.1 and see if the Bug is "officially" fixed in this version, isn't it?

N.

Norbert,

That's completly up to you, I think there is some problem with populating the fields.

Will check with guys on our side.

3.7.1 is stil some time off ;-)

M.

Hi Marcin,

I have updated the box to 03.07.00.S, but there are still those error messages ;-(

004700: Aug 31 10:29:00: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0xD36837A4(3546822564), srcaddr=x.x.x.x, input interface=Tunnelxxx

Norbert,

Well if you look at the post which you marked as the one that helped you - I only mention that it gives more information about traffic causing thise problem :-)

Regardless. Check if SPI is a vlid SPI under tunelxxx

show crypto ipsec sa interface tunnelxxx | i 0xD36837A4

Should give you the output... if the SPI is wrong - well most likely remote end sending traffic with wrong SPI.

If not it could be a problem with programming.

M.

Hi again,

im sorry, i have pasted the wrong error message ;-).

But for this message i have looked and the SPIs are ident for both ends (inbound to outpound, outbound to inbound).

The other old error message which is still there is:

004711: Aug 31 10:59:02: %IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:120 TS:00000038984716821310 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 3626, src_addr x.x.x.x, dest_addr x.x.x.x, SPI 0x3e92bee4

This "cosmetic" message should have been solved in 3.7. isnt it?

Thx,

N.

Norbert,

so they are identical and equal to

0x3e92bee4 ?

M.

The two error messages have nothing to do with each other i think.

Router A:

RouterA#sh crypto ipsec sa int Tunnelxxx | in spi

     current outbound spi: 0xF854D536(4166309174)

      spi: 0x3E92BEE4(1049804516)

      spi: 0xF854D536(4166309174)

Router B:

RouterB#sh crypto ipsec sa int Tunnelyyy | inc spi

     current outbound spi: 0x3E92BEE4(1049804516)

      spi: 0xF854D536(4166309174)

      spi: 0x3E92BEE4(1049804516)

SPIs match. And the same for the other error message.

Norbert,

Looks indeed cosmetic or an error while formulating error message.

Do you mind opening a TAC case so we can investigate?

M.