05-02-2020 06:26 AM
Hi Team,
We are migrating a WAN circuit connected to our router 3945 to another carrier. The strategy was to connect the the new circuit to a new interface gi2/0, configure everything and then shutdown the current interface gi0/0.
After doing this, we started to receive errors in the log related to encryption:
Apr 14 16:48:18.838 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x2120A2,SPI=0x8856B73
Apr 14 16:49:28.981 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x236118,SPI=0x8856B73
Apr 14 16:50:06.102 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x249A96,SPI=0x8856B73
Apr 14 16:50:24.352 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=169.40.12.9, prot=50, spi=0x16B4E901(380954881), srcaddr=169.40.12.2, input interface=GigabitEthernet2/0
Apr 14 16:51:07.976 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x26CA68,SPI=0x8856B73
Apr 14 16:51:46.525 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1452,sequence number=0x284536,SPI=0x8856B73
This router has the encryption card ISM-VPN-39, but, as far as we know, this card acts globally in the box, and not associated with an specific interface or slot.
However, for testing purposes we connected the new circuit to the interface gi0/0 and the errors immediately stopped.
NAME: "WAN Interface Card - HWIC Serial 2T on Slot 0 SubSlot 0", DESCR: "WAN Interface Card - HWIC Serial 2T"
PID: HWIC-2T , VID: V02 , SN: FOC13501YCQ
NAME: "Internal Services Module - Crypto Engine on Slot 0", DESCR: "Internal Services Module - Crypto Engine"
PID: ISM-VPN-39 , VID: V02 , SN: FOC18203AHZ
NAME: "2 SFP GE SM on Slot 2", DESCR: "2 SFP GE SM"
Can you please advise?
Thanks,
Lindolfo
05-02-2020 11:34 AM
Looks like the SPIs are mismatched. Do you have access to the remote site to check the SPIs there?
05-04-2020 05:07 AM
Hi Marius,
Thanks for your answer!
Yes, I have. May you please share the commands you want to see the output to check this?
05-04-2020 06:04 AM
show crypto ipsec sa address xxx.xxx.xxx.xxx | include spi|outbound|inbound
Where xxx.xxx.xxx.xxx is the public IP of the remote site.
Post the output for both sites.
05-04-2020 11:03 AM
Marius,
In the IOS release I´m running, is not possible to specify the address, instead of it, I got the output specifying the tunnel interface ok?
We have two tunnels to different locations, using the carriers´s MPLS.
Please note that now, we are not seeing the errors message since we mover the new circuit to the old interface.
Find attached the requested outputs, as well as a diagram of this infrastructure.
05-13-2020 05:38 AM
Strange...the SPIs are correct at both ends...Is this output taken when the switchover to the new connection was made? or while the existing / working connection is up?
You are correct that the the encryption module should work globally.
Did you try clearing the VPN to re-establish it when you were trying to switch to the new connection?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide