cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4785
Views
5
Helpful
2
Replies

DMVPN with ikev2 on ISR 2900g2 hub router Issues !!!

john.ebrahim83
Level 1
Level 1

hi every body,

i am able to establish a dmvpn to my hub router 2900g2(15.2 m2) with one spoke. the time i add one more spoke to my hub, the eigrp hold time expires, tunnel gets flapping and i get following error messages. i have tries. crypto isakmp invalid-spi-recovery on hub and than tried on both hub and spokes as well but still it keeps flapping. any solution ?

*Apr 29 10:50:10.927: %DUAL-5-NBRCHANGE: EIGRP-IPv4 199: Neighbor 172.31.10.4 (Tunnel1) is down: holding time expired

HUB1#

*Apr 29 10:51:02.607: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.XX.XX.1, prot=50, spi=0xCD70E5A0(3446728096), srcaddr=172.XX.XX.2, input interface=GigabitEthernet0/0

HUB1#

*Apr 29 10:51:06.343: IKEv2:Detected an invalid IKE SPI

*Apr 29 10:51:06.343: IKEv2:Couldn't find matching SA

*Apr 29 10:51:06.347: IKEv2:(SA ID = 0):Received Packet [From 172.X.X.2:500/To 172.X.X.1:500/VRF i0:f0]

Initiator SPI : 082C36B44932D204 - Responder SPI : 2823E86A77606C85 Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

*Apr 29 10:51:06.351: IKEv2:A supplied parameter is incorrect

*Apr 29 10:51:06.351: IKEv2:

HUB1#

*Apr 29 10:51:09.375: IKEv2:Detected an invalid IKE SPI

*Apr 29 10:51:09.375: IKEv2:Couldn't find matching SA

*Apr 29 10:51:09.379: IKEv2:(SA ID = 0):Received Packet [From 172.X.X.2:500/To 172.X.X.1:500/VRF i0:f0]

Initiator SPI : 082C36B44932D204 - Responder SPI : 2823E86A77606C85 Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

*Apr 29 10:51:09.379: IKEv2:A supplied parameter is incorrect

*Apr 29 10:51:09.379: IKEv2:

2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

I had this problem recently.  My hub was running 15.4(3)M2, and the spoke was running a 15.1 release of some kind.  The spoke did not start working properly until I got it up to 15.3(3)M6.

OMG! thank you so much! I spent 2 days trying to figure this out. After I upgraded the IOS (in my case it was at the hub), I just replaced 1 configuration line because it was incompatible with the new version and that was it. tunnel came up magically.