Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2442
Views
0
Helpful
5
Replies

EzVPN Error

Go to solution
Yadhu Tony
Level 1
Level 1

ā€Ž12-06-2012 09:02 PM

Hello,

We have an EzVPN server configured on our Cisco ISR and everthing was working fine for the last few months. But recently I got an error from the server as below:

Dec  6 02:52:49.948: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=153.x.x.x, prot=50, spi=0xE42B394(239282372), srcaddr=132.x.x.x, input interface=GigabitEthernet0/1

Dec  6 02:52:54.616: %CRYPTO-4-IKMP_NO_SA: IKE message from 132.x.x.x has no SA and is not an initialization offer


The messages are being logged very frequently while the remote user conects the VPN. Please help me on this.

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anujsharma85
Level 1
Level 1
In response to Yadhu Tony

ā€Ž12-10-2012 04:48 AM

- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..

-Have you recently made any changes on the device which could have triggered this issue?

The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.

The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.

Please make sure that these commands are set.

- crypto isakmp invalid-spi-recovery

- crypto ipsec df-bit clear

- crypto ipsec fragmentation before-encryption

Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.

If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.

.

Regards,

Anuj

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Yadhu Tony
Level 1
Level 1

ā€Ž12-10-2012 12:55 AM

Can anyone help me on this. Still I didn't find a possible solution for this.

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
anujsharma85
Level 1
Level 1
In response to Yadhu Tony

ā€Ž12-10-2012 04:48 AM

- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..

-Have you recently made any changes on the device which could have triggered this issue?

The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.

The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.

Please make sure that these commands are set.

- crypto isakmp invalid-spi-recovery

- crypto ipsec df-bit clear

- crypto ipsec fragmentation before-encryption

Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.

If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.

.

Regards,

Anuj

0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to anujsharma85

ā€Ž12-11-2012 12:28 AM

Hello Anuj,

Thank you for the reply.

The error seems to be cosmetic since it is not making any major performance impact. Also I haven't made any changes to the machine, it started coming all of a sudden. So let me try with the commands and let you know the outcome.

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful

Go to solution
anujsharma85
Level 1
Level 1
In response to Yadhu Tony

ā€Ž12-12-2012 12:07 PM

You're welcome.

Feel free to revert if issue persists.

Regards,

Anuj

0 Helpful

Go to solution
Yadhu Tony
Level 1
Level 1
In response to anujsharma85

ā€Ž12-13-2012 07:36 PM

Hello Anuj,

The issue get resolved. Thank you for your support.

Regards,

Tony

http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
0 Helpful
Customers Also Viewed These Support Documents