Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1665
Views
0
Helpful
3
Replies

Crypto isakmp invalid-spi-recovery in a Cisco ASR1002-HX running EIGRP and DMVPN.

Go to solution
CSCO12789549
Level 1
Level 1

‎04-24-2020 02:04 AM

I have and ASR 1000 which is the main HUB for our EIGRP / DMVPN solution. I recently started getting crypto errors!!
*Apr 23 17:10:45: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=316.17.98.56, prot=50, spi=0x1872BAB4(410172084), srcaddr=80.76.167.70, input interface=Tunnel1 and

 

*Apr 23 16:54:40: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=214.13.90.244, prot=50, spi=0x6869FF33(1751777075), srcaddr=80.76.167.70, input interface=Tunnel0

I have 4 additional spokes no to sure if they are getting this error, but with terminal monitor enabled I am getting it on the main hub.

 

We also have 2 taclanes connected to the hub that branch off into the core. Hence I do not know where the 80.76.167.70 address is coming from.

Does anyone know how to clear this crypto issue from the hub?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CSCO12789549

‎04-24-2020 03:22 PM - edited ‎04-24-2020 03:23 PM

Look at the workaround thread for reference :

 

clear manually SPI and test it.

 

https://community.cisco.com/t5/vpn/crypto-isakmp-invalid-spi-recovery-command-is-not-worked-fine-in/td-p/1531178

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎04-24-2020 03:11 AM

 

 https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115801-technote-iosvpn-00.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
CSCO12789549
Level 1
Level 1
In response to marce1000

‎04-24-2020 05:26 AM

@marce1000 thank you for this link, it does give me some insight but even with the debugs running and with invalid-spi-recovery turned on I am still stuck as in what to do to clear this error up. The article does not go into full detail on how to resolve the issue. Any more suggestions? Thanks
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CSCO12789549

‎04-24-2020 03:22 PM - edited ‎04-24-2020 03:23 PM

Look at the workaround thread for reference :

 

clear manually SPI and test it.

 

https://community.cisco.com/t5/vpn/crypto-isakmp-invalid-spi-recovery-command-is-not-worked-fine-in/td-p/1531178

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents