IPSEC issue

getarif12 · ‎01-30-2013

Hi,

Need some help, as i am observing below logs related to crypto, but when i check my caller , it seems that connection is up for quite few weeks.

Can anyone please advise me how to verify that if these logs are affecting my services anyhow, or verify IPVPV stability in this case.

=================

Logs:

.Jan 26 22:27:11.811: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=62.28.140.245, prot=50, spi=0x266BB473(644592755), srcaddr=57.66.59.50

Jan 28 05:07:08.793: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=62.28.140.245, prot=50, spi=0x60E6EE8(101609192), srcaddr=57.66.59.50

pfao079# sho caller

Active Idle

Line User Service Time Time

Vi1 <unknown phone number> \

PPPoE 12w0d 00:00:43

==================

Thanks a lot in advance

Regards

Mohd Arif/Network engineer

Jennifer Halim · ‎01-30-2013

The above error might indicate that the key has expired and the peer is still sending the packet under the old key while a new key has been created. Normally you would only get a few of those error messages if the VPN up and running.

You can check the timer by issuing: show cry ipsec sa, and see how much lifetime is remaining on the existing SA.

getarif12 · ‎02-03-2013

Hi Jennifer,

Thank you for your quick response .

Regards

Mohd Arif/Network engineer