Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
2
Replies

Dynamic multipoint vpn network

krishan.saran
Level 1
Level 1

‎05-30-2012 11:41 AM

Hi team we have 6 locations connected through the dynamic multipoint pvn network, we are using this network for voip phones, some this whole vpn network goes down, and than come back automatically after some time, i was logged in to hub router and found some errors, thse errors are as follow, can any body suggest what is the cause for those

000176: May 30 09:44:29.763 PCTime: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd I

PSEC packet has invalid spi for destaddr=hub wap ip, prot=50, spi=0xAEB1655C(

2930861404), srcaddr=remote 2 wan ip

000177: May 30 09:45:33.149 PCTime: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd I

PSEC packet has invalid spi for destaddr=hub wap ip, prot=50, spi=0xAEB1655C(

2930861404), srcaddr=remote 2 wan ip

000178: May 30 09:46:39.141 PCTime: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd I

PSEC packet has invalid spi for destaddr=hub wap ip, prot=50, spi=0xAEB1655C(

2930861404), srcaddr=remote 2 wan ip

i replaced all IP addreses with there locations, i have those errors form almst all locations

regards

krishan saran

Labels:
0 Helpful
2 Replies 2

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎06-02-2012 12:23 PM

HI Krishan ,

thanks for posting this here .

this may indicate a syhcronization issue between the two peers , that one peer is still using an old SA that has been deleted on the other peer , thus when receiving the IPSEC packet on the device it will report that there is no IPSEC sa active for this connection .

The received IPsec packet specifies a Security Parameters Index (SPI) that does not exist in the security associations database (SADB). This could be a temporary condition due to:

  • Slight differences in the aging of security associations (SAs) between the IPsec peers
  • The local SAs having been cleared
  • Incorrect packets sent by the IPsec peer

do you have crypto isakmp keepalives enabled on the devices ?

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtdpmo.html

on the other hand you need to check why the VPN tunnels are going down ?

Debug crypto isakmp

debug crypto ipsec

hope that this helps.

cheers.

Mohammad.

0 Helpful

krishan.saran
Level 1
Level 1
In response to Mohammad Alhyari

‎06-03-2012 12:27 AM

Thanks mohamed, thats make sence, i will check the timers in all routers and update back,

Thanks

Krishan Saran

Uniconnect Networks Inc.

Ph. 604-235-1965

Cell 778-840-5961

www.uniconnectnetworks.com

0 Helpful
Customers Also Viewed These Support Documents