Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
10
Helpful
4
Replies

DMVPN using GRE over IPSec message

Go to solution
MrBeginner
Spotlight
Spotlight

‎04-03-2019 02:50 PM - edited ‎02-21-2020 09:36 PM

Hi all,

I deployed DMVPN using GRE over IPSec.This is first time DMVPN deployment.Tunnel ip also can ping each other.When i use sh crypto ikev2 sa is READY and sh crypto ipsec is also Active/Active. DMVPN is also up.when i ping spoke1 host  to spoke2 host ,ping test is successful but i got below message.let me know what mean below message ? That mean my tunnel is running without encryption ? it mean GRE tunnel only work ? 

 


000073: *Apr 1 02:57:33.515: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=198.1.1.2, prot=50, spi=0x56F02A78(1458580088), srcaddr=2.1.2.4, input interface=Tunnel0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-03-2019 03:01 PM - edited ‎04-03-2019 03:12 PM

Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.


Do you receive these errors reguarly?


Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.

HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎04-03-2019 03:01 PM - edited ‎04-03-2019 03:12 PM

Hi,
One of the most common IPsec issues is that SAs can become out of sync between the peer devices. As a result, an encrypting device encrypts traffic with SAs that its peer does not know about. It might only be a transient condition that is present at the same time as the IPsec rekey where one peer might start to use the new SA while the peer device is not quite ready to use the same SA. This is normally not a problem, as it is only temporary and would only affect a few packets.


Do you receive these errors reguarly?


Check the output of "show crypto ipsec sa" on both routers, and confirm encaps|decaps are increasing, this will confirm that traffic is being encrypted.

HTH

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎04-04-2019 06:14 PM - edited ‎04-04-2019 06:38 PM

Hi,

Not regularly sometime only.

the output of "show crypto ipsec sa" on both routers, and encaps|decaps are increasing.

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎04-05-2019 05:26 AM

Hi,

As mentioned that this is a common issue with IPSec but actually this is not an issue. It is a security feature. Did you implement Phase2 or Phase3 DMVPM?

 

Also, check for both end phase1 and Phase2 timers and Keepalive configuration at all sites.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Deepak Kumar

‎04-08-2019 01:34 AM

Hi ,

I used Phase 3 DMVPN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents