Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
1
Replies

Invalid SPI

yujilaw02962
Level 1
Level 1

‎10-22-2011 04:37 PM

Hi guys,

I am having this invalid SPI error in my IPSEC tunnels everynow and then and i had configured the spi recovery in the routers.

Usually the tunnels will flat and within a minute or so it will recovered as the recovery kicks in.....

But what i wanna know is why the invalid spi happened in the 1st place?

Many thanks...

Labels:
0 Helpful
1 Reply 1

Eugene Khabarov
Level 7
Level 7

‎10-22-2011 11:26 PM

Error Message Decoder says:

A received IPSec packet specifies an SPI that does not exist in SADB. This may be a  temporary condition because of slight differences in the aging of SAs between the IPSec peers or  because the local SAs have been cleared. It may also be caused by invalid packets sent by the IPSec  peer. This activity could be considered a hostile event.

Recommended Action:

If the local SAs have been cleared, the peer may not know. In this case, if a new  connection is established from the local router, the two peers may reestablish successfully. If the  problem occurs for more than a brief period, either attempt to establish a new connection or contact  the peer administrator.

So, i mu opinion it can be caused by:

clear crypto sa command

Slight difference in security association lifetime on peers:

sh crypto ipsec profile

...

        Security association lifetime: 4608000 kilobytes/3600 seconds

...

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

0 Helpful
Customers Also Viewed These Support Documents