ā12-06-2012 09:02 PM
Hello,
We have an EzVPN server configured on our Cisco ISR and everthing was working fine for the last few months. But recently I got an error from the server as below:
Dec 6 02:52:49.948: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=153.x.x.x, prot=50, spi=0xE42B394(239282372), srcaddr=132.x.x.x, input interface=GigabitEthernet0/1
Dec 6 02:52:54.616: %CRYPTO-4-IKMP_NO_SA: IKE message from 132.x.x.x has no SA and is not an initialization offer
The messages are being logged very frequently while the remote user conects the VPN. Please help me on this.
Regards,
Tony
Solved! Go to Solution.
ā12-10-2012 04:48 AM
- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..
-Have you recently made any changes on the device which could have triggered this issue?
The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.
The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.
Please make sure that these commands are set.
- crypto isakmp invalid-spi-recovery
- crypto ipsec df-bit clear
- crypto ipsec fragmentation before-encryption
Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.
If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.
.
Regards,
Anuj
ā12-10-2012 12:55 AM
Can anyone help me on this. Still I didn't find a possible solution for this.
Regards,
Tony
ā12-10-2012 04:48 AM
- Are these error messages cosmetic or are they making any performance impact. Ideally they should be cosmetic..
-Have you recently made any changes on the device which could have triggered this issue?
The issue is seen when the SA which is responsible for decryption is invalid. A potential reason could be that the SA on the decryption side has aged out slightly before the encryption resulting in the IPSec packet carrying an invalid SPI.
The "IKE" module, which serves as a checkpoint in the IPSec session, recognizes the "Invalid SPI" situation. The IKE module then sends an "Invalid Error" message to the packet-receiving peer so that synchronization of the security association databases (SADBs) of the two peers can be attempted. As soon as the SADBs are resynchronized, packets are no longer dropped. It is usually a temporary condition.
Please make sure that these commands are set.
- crypto isakmp invalid-spi-recovery
- crypto ipsec df-bit clear
- crypto ipsec fragmentation before-encryption
Make sure to set last two commands only during OFF production hours as it will lead to tearing the tunnels down for a moment.
If the issue is still seen then check if you have any crypto modules available on router and if they are throwing any error as well. Ideally configuring the commands alone should fix the issue if error messages are only cosmetic.
.
Regards,
Anuj
ā12-11-2012 12:28 AM
Hello Anuj,
Thank you for the reply.
The error seems to be cosmetic since it is not making any major performance impact. Also I haven't made any changes to the machine, it started coming all of a sudden. So let me try with the commands and let you know the outcome.
Regards,
Tony
ā12-12-2012 12:07 PM
You're welcome.
Feel free to revert if issue persists.
Regards,
Anuj
ā12-13-2012 07:36 PM
Hello Anuj,
The issue get resolved. Thank you for your support.
Regards,
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide