Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
1
Replies

Error Message

yazanmughrabi
Level 1
Level 1

‎09-11-2005 11:29 AM

Can anybody please tell me what this error message means:

*Mar 1 00:01:39.134: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.16.10.1, prot=51, spi=0x48587D0C(1213758732), srcaddr=172.16.10.247

This is the only error message I could find on a site that is connected via GRE tunnels encrypted with IPSec. This site has the problem of losing the tunnels (going down) and the only thing i know of doing so far it to do a clear interface on the interface connected to the encrypted link.

Any input would be appreciated.

Thanx

Yazan

Labels:
0 Helpful
1 Reply 1

aacole
Level 5
Level 5

‎09-11-2005 12:25 PM

Hi Yazan,

This message indicates that the router has received an IPSec packet with an identifier (SPI) that doesnt exist in the local Security association data base.

When the IPSec connection (SA) is established each tunnel is assigned a unique SPI, this is entered into the data base. If the SA is cleared or times out then the corresponding database entry is cleared. So in your case it looks like the local router is somehow clearing the tunnel, and at some time later an IPSec packet is received for a tunnel that no longer exists.

One possible solution would be to enable ISAKMP keepalives, therefore if one end clears its IPSec then the otherend would eventually reset the connection. However this doesnt fix the problem, just provides a work around.

You can check the IPSec tunnels by the command `sh crypto ipsec sa', have a look when the link is working and compare with the output when you start to see this error message.

Let me know how you get on,

Andy

0 Helpful
Customers Also Viewed These Support Documents