Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14912
Views
0
Helpful
1
Replies

decaps: rec'd IPSEC packet has invalid spi for

gmsmith21
Level 1
Level 1

‎10-28-2005 10:50 AM - edited ‎02-21-2020 02:04 PM

I have setup a point to point VPN from a PIX 515e running 6.3(4) and a Cyberguard SG300. I can connect and communicate for a few minutes, but then I get "disconnected" though the cyberguard shows the tunnel is still running. I get this in my Pix Syslog...any thoughts?

Oct 28 14:39:45 192.168.1.1 Oct 28 2005 14:39:44: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:39:46 192.168.1.1 last message repeated 3 times

Oct 28 14:39:46 192.168.1.1 Oct 28 2005 14:39:45: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:39:48 192.168.1.1 Oct 28 2005 14:39:47: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:39:52 192.168.1.1 Oct 28 2005 14:39:51: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:39:54 192.168.1.1 Oct 28 2005 14:39:53: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:39:54 192.168.1.1 last message repeated 2 times

Oct 28 14:40:00 192.168.1.1 Oct 28 2005 14:39:59: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Oct 28 14:40:00 192.168.1.1 Oct 28 2005 14:39:59: %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=66.xx.xx.xx, prot=esp, spi=0xeb41c8ba(-348010310)

Labels:
0 Helpful
1 Reply 1

jackko
Level 7
Level 7

‎10-29-2005 04:30 PM

the issue maybe related to connectivity between the two sites. according to the log, pix was not able to identify the spi (which is an unique identifier of ipsec sa).

e.g. when the two devices completed establishing a lan-lan vpn, and the spi is 100. due to an unknown reason (such as connectivity), one of the devices decided to drop the vpn, and started to create a new one (a new ipsec sa means a new spi); whereas the other one wasn't aware of the issue and kept the old one. thus when pix received the packet, the spi didn't match.

one possible way to resolve this issue is to apply isakmp keepalive. with this command enabled, pix will keep polling the vpn peer with the time interval you configured with the command "isakmp keepalive". further, you may configure the same option on cyberguard.

0 Helpful
Customers Also Viewed These Support Documents