Re: ISM-VPN-39 Issues

queirozlindolfo · ‎05-02-2020

Hi Team,

We are migrating a WAN circuit connected to our router 3945 to another carrier. The strategy was to connect the the new circuit to a new interface gi2/0, configure everything and then shutdown the current interface gi0/0.

After doing this, we started to receive errors in the log related to encryption:

Apr 14 16:48:18.838 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x2120A2,SPI=0x8856B73
Apr 14 16:49:28.981 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x236118,SPI=0x8856B73
Apr 14 16:50:06.102 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x249A96,SPI=0x8856B73
Apr 14 16:50:24.352 EDT: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=169.40.12.9, prot=50, spi=0x16B4E901(380954881), srcaddr=169.40.12.2, input interface=GigabitEthernet2/0
Apr 14 16:51:07.976 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1484,sequence number=0x26CA68,SPI=0x8856B73
Apr 14 16:51:46.525 EDT: %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Decr PAD Error:srcadr=169.40.28.1,dstadr=169.40.12.9,size=1452,sequence number=0x284536,SPI=0x8856B73

This router has the encryption card ISM-VPN-39, but, as far as we know, this card acts globally in the box, and not associated with an specific interface or slot.

However, for testing purposes we connected the new circuit to the interface gi0/0 and the errors immediately stopped.

NAME: "WAN Interface Card - HWIC Serial 2T on Slot 0 SubSlot 0", DESCR: "WAN Interface Card - HWIC Serial 2T"

PID: HWIC-2T , VID: V02 , SN: FOC13501YCQ

NAME: "Internal Services Module - Crypto Engine on Slot 0", DESCR: "Internal Services Module - Crypto Engine"

PID: ISM-VPN-39 , VID: V02 , SN: FOC18203AHZ

NAME: "2 SFP GE SM on Slot 2", DESCR: "2 SFP GE SM"

Can you please advise?

Thanks,

Lindolfo

Marius Gunnerud · ‎05-02-2020

Looks like the SPIs are mismatched. Do you have access to the remote site to check the SPIs there?

--
Please remember to select a correct answer and rate helpful posts

queirozlindolfo · ‎05-04-2020

Hi Marius,

Thanks for your answer!

Yes, I have. May you please share the commands you want to see the output to check this?

Marius Gunnerud · ‎05-04-2020

show crypto ipsec sa address xxx.xxx.xxx.xxx | include spi|outbound|inbound

Where xxx.xxx.xxx.xxx is the public IP of the remote site.

Post the output for both sites.

--
Please remember to select a correct answer and rate helpful posts

queirozlindolfo · ‎05-04-2020

Marius,

In the IOS release I´m running, is not possible to specify the address, instead of it, I got the output specifying the tunnel interface ok?

We have two tunnels to different locations, using the carriers´s MPLS.

Please note that now, we are not seeing the errors message since we mover the new circuit to the old interface.

Find attached the requested outputs, as well as a diagram of this infrastructure.

Marius Gunnerud · ‎05-13-2020

Strange...the SPIs are correct at both ends...Is this output taken when the switchover to the new connection was made? or while the existing / working connection is up?

You are correct that the the encryption module should work globally.

Did you try clearing the VPN to re-establish it when you were trying to switch to the new connection?

--
Please remember to select a correct answer and rate helpful posts